diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 6069949..75c7870 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -17378,7 +17378,7 @@ index 7be4ddf..4d4c577 100644
-# This module currently does not have any file contexts.
+/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 6d0811d..f67bd8f 100644
+index 6d0811d..708f074 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -17446,15 +17446,20 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:filesystem getattr;
')
-@@ -221,6 +235,7 @@ interface(`selinux_search_fs',`
+@@ -221,7 +235,12 @@ interface(`selinux_search_fs',`
')
dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir search_dir_perms;
++
++ optional_policy(`
++ seutil_search_config($1)
++ ')
')
-@@ -244,6 +259,28 @@ interface(`selinux_dontaudit_search_fs',`
+ ########################################
+@@ -244,6 +263,28 @@ interface(`selinux_dontaudit_search_fs',`
########################################
##
@@ -17483,7 +17488,7 @@ index 6d0811d..f67bd8f 100644
## Do not audit attempts to read
## generic selinuxfs entries
##
-@@ -258,6 +295,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -258,6 +299,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
@@ -17491,7 +17496,7 @@ index 6d0811d..f67bd8f 100644
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
-@@ -280,8 +318,10 @@ interface(`selinux_get_enforce_mode',`
+@@ -280,8 +322,10 @@ interface(`selinux_get_enforce_mode',`
')
dev_search_sysfs($1)
@@ -17502,7 +17507,7 @@ index 6d0811d..f67bd8f 100644
')
########################################
-@@ -310,22 +350,12 @@ interface(`selinux_set_enforce_mode',`
+@@ -310,22 +354,12 @@ interface(`selinux_set_enforce_mode',`
gen_require(`
type security_t;
attribute can_setenforce;
@@ -17525,7 +17530,7 @@ index 6d0811d..f67bd8f 100644
')
########################################
-@@ -342,22 +372,13 @@ interface(`selinux_load_policy',`
+@@ -342,22 +376,13 @@ interface(`selinux_load_policy',`
gen_require(`
type security_t;
attribute can_load_policy;
@@ -17549,7 +17554,7 @@ index 6d0811d..f67bd8f 100644
')
########################################
-@@ -378,6 +399,7 @@ interface(`selinux_read_policy',`
+@@ -378,6 +403,7 @@ interface(`selinux_read_policy',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
@@ -17557,7 +17562,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:security read_policy;
')
-@@ -438,19 +460,15 @@ interface(`selinux_set_boolean',`
+@@ -438,19 +464,15 @@ interface(`selinux_set_boolean',`
interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
@@ -17580,7 +17585,7 @@ index 6d0811d..f67bd8f 100644
')
########################################
-@@ -479,25 +497,16 @@ interface(`selinux_set_all_booleans',`
+@@ -479,25 +501,16 @@ interface(`selinux_set_all_booleans',`
gen_require(`
type security_t, secure_mode_policyload_t;
attribute boolean_type;
@@ -17612,7 +17617,7 @@ index 6d0811d..f67bd8f 100644
')
########################################
-@@ -528,7 +537,9 @@ interface(`selinux_set_parameters',`
+@@ -528,7 +541,9 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
@@ -17622,7 +17627,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
-@@ -552,7 +563,9 @@ interface(`selinux_validate_context',`
+@@ -552,7 +567,9 @@ interface(`selinux_validate_context',`
type security_t;
')
@@ -17632,7 +17637,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
-@@ -595,7 +608,9 @@ interface(`selinux_compute_access_vector',`
+@@ -595,7 +612,9 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
@@ -17642,7 +17647,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
-@@ -617,7 +632,9 @@ interface(`selinux_compute_create_context',`
+@@ -617,7 +636,9 @@ interface(`selinux_compute_create_context',`
type security_t;
')
@@ -17652,7 +17657,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
-@@ -639,7 +656,9 @@ interface(`selinux_compute_member',`
+@@ -639,7 +660,9 @@ interface(`selinux_compute_member',`
type security_t;
')
@@ -17662,7 +17667,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
-@@ -669,7 +688,9 @@ interface(`selinux_compute_relabel_context',`
+@@ -669,7 +692,9 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
@@ -17672,7 +17677,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -677,6 +698,29 @@ interface(`selinux_compute_relabel_context',`
+@@ -677,6 +702,29 @@ interface(`selinux_compute_relabel_context',`
########################################
##
@@ -17702,7 +17707,7 @@ index 6d0811d..f67bd8f 100644
## Allows caller to compute possible contexts for a user.
##
##
-@@ -690,7 +734,9 @@ interface(`selinux_compute_user_contexts',`
+@@ -690,7 +738,9 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
@@ -17712,7 +17717,7 @@ index 6d0811d..f67bd8f 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -712,4 +758,28 @@ interface(`selinux_unconfined',`
+@@ -712,4 +762,28 @@ interface(`selinux_unconfined',`
')
typeattribute $1 selinux_unconfined_type;
@@ -28272,7 +28277,7 @@ index 3efd5b6..9e85ea0 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..03657db 100644
+index 09b791d..15dea9c 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -28596,7 +28601,7 @@ index 09b791d..03657db 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,155 @@ optional_policy(`
+@@ -456,10 +520,156 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -28636,6 +28641,7 @@ index 09b791d..03657db 100644
+allow login_pgm self:process setkeycreate;
+allow login_pgm self:key manage_key_perms;
+userdom_manage_all_users_keys(login_pgm)
++allow login_pgm nsswitch_domain:key manage_key_perms;
+
+files_list_var_lib(login_pgm)
+manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t)
@@ -37543,7 +37549,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..0bd60a7 100644
+index 3822072..d072ee8 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -37786,7 +37792,33 @@ index 3822072..0bd60a7 100644
## Do not audit attempts to search the SELinux
## configuration directory (/etc/selinux).
##
-@@ -680,8 +848,113 @@ interface(`seutil_manage_config',`
+@@ -574,6 +742,25 @@ interface(`seutil_dontaudit_search_config',`
+
+ ########################################
+ ##
++## Allow attempts to search the SELinux
++## configuration directory (/etc/selinux).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_search_config',`
++ gen_require(`
++ type selinux_config_t;
++ ')
++
++ allow $1 selinux_config_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read the SELinux
+ ## userland configuration (/etc/selinux).
+ ##
+@@ -680,8 +867,113 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -37901,7 +37933,7 @@ index 3822072..0bd60a7 100644
')
#######################################
-@@ -694,15 +967,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +986,62 @@ interface(`seutil_manage_config',`
## Domain allowed access.
##
##
@@ -37967,7 +37999,7 @@ index 3822072..0bd60a7 100644
')
########################################
-@@ -746,6 +1066,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +1085,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -37997,7 +38029,7 @@ index 3822072..0bd60a7 100644
########################################
##
## Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1127,9 @@ interface(`seutil_read_file_contexts',`
+@@ -784,7 +1146,9 @@ interface(`seutil_read_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
@@ -38007,7 +38039,7 @@ index 3822072..0bd60a7 100644
')
########################################
-@@ -999,6 +1344,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1363,26 @@ interface(`seutil_domtrans_semanage',`
########################################
##
@@ -38034,7 +38066,7 @@ index 3822072..0bd60a7 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1382,85 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1401,85 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -38122,7 +38154,7 @@ index 3822072..0bd60a7 100644
')
########################################
-@@ -1043,7 +1482,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1501,11 @@ interface(`seutil_manage_module_store',`
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
@@ -38134,7 +38166,7 @@ index 3822072..0bd60a7 100644
')
#######################################
-@@ -1067,6 +1510,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1529,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
##
@@ -38159,7 +38191,7 @@ index 3822072..0bd60a7 100644
## Get trans lock on module store
##
##
-@@ -1137,3 +1598,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1617,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 7407263..8526eda 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -539,7 +539,7 @@ index 058d908..1e92177 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..b544b89 100644
+index eb50f07..d355384 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -814,7 +814,7 @@ index eb50f07..b544b89 100644
')
optional_policy(`
-@@ -222,6 +249,20 @@ optional_policy(`
+@@ -222,6 +249,24 @@ optional_policy(`
')
optional_policy(`
@@ -831,11 +831,15 @@ index eb50f07..b544b89 100644
+')
+
+optional_policy(`
++ pcp_read_lib_files(abrt_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +275,11 @@ optional_policy(`
+@@ -234,6 +279,11 @@ optional_policy(`
')
optional_policy(`
@@ -847,7 +851,7 @@ index eb50f07..b544b89 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +289,7 @@ optional_policy(`
+@@ -243,6 +293,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -855,7 +859,7 @@ index eb50f07..b544b89 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +300,21 @@ optional_policy(`
+@@ -253,9 +304,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -878,7 +882,7 @@ index eb50f07..b544b89 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +325,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -893,7 +897,7 @@ index eb50f07..b544b89 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -901,7 +905,7 @@ index eb50f07..b544b89 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -922,7 +926,7 @@ index eb50f07..b544b89 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +374,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -949,7 +953,7 @@ index eb50f07..b544b89 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -963,7 +967,7 @@ index eb50f07..b544b89 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +428,11 @@ optional_policy(`
+@@ -343,10 +432,11 @@ optional_policy(`
#######################################
#
@@ -977,7 +981,7 @@ index eb50f07..b544b89 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +451,58 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +455,58 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1040,7 +1044,7 @@ index eb50f07..b544b89 100644
#######################################
#
-@@ -404,25 +510,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +514,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1101,7 +1105,7 @@ index eb50f07..b544b89 100644
')
#######################################
-@@ -430,10 +569,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +573,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -3031,10 +3035,10 @@ index 0000000..36251b9
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..253a684
+index 0000000..6183b21
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,271 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -3101,7 +3105,7 @@ index 0000000..253a684
+# antivirus domain local policy
+#
+
-+allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin };
++allow antivirus_domain self:capability { dac_override chown kill fsetid setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
@@ -3140,6 +3144,7 @@ index 0000000..253a684
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
++kernel_read_system_state(antivirus_t)
+kernel_read_network_state(antivirus_domain)
+kernel_read_all_sysctls(antivirus_domain)
+
@@ -5148,7 +5153,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..0eb93ab 100644
+index 6649962..544794c 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -7342,7 +7347,7 @@ index 6649962..0eb93ab 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1631,103 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7463,6 +7468,8 @@ index 6649962..0eb93ab 100644
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
++ corenet_tcp_bind_commplex_main_port(httpd_t)
++ keystone_read_log(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..97c204f 100644
@@ -12760,10 +12767,10 @@ index 0000000..fc9cae7
+')
diff --git a/cinder.te b/cinder.te
new file mode 100644
-index 0000000..f257547
+index 0000000..488a7a6
--- /dev/null
+++ b/cinder.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,169 @@
+policy_module(cinder, 1.0.0)
+
+########################################
@@ -12890,6 +12897,8 @@ index 0000000..f257547
+
+auth_use_nsswitch(cinder_backup_t)
+
++systemd_dbus_chat_logind(cinder_backup_t)
++
+optional_policy(`
+ unconfined_domain(cinder_backup_t)
+')
@@ -24821,7 +24830,7 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..64f1a64
+index 0000000..b759cd7
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,68 @@
@@ -24846,7 +24855,7 @@ index 0000000..64f1a64
+#
+# dnssec_trigger local policy
+#
-+allow dnssec_trigger_t self:capability linux_immutable;
++allow dnssec_trigger_t self:capability { net_admin linux_immutable };
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
@@ -66902,7 +66911,7 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..995cc23
+index 0000000..bdeebb9
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,281 @@
@@ -66993,7 +67002,7 @@ index 0000000..995cc23
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
-+allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabelfrom_file_perms;
++allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
@@ -85406,7 +85415,7 @@ index 0bf13c2..8236a71 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
-index 2da9fca..b225fea 100644
+index 2da9fca..876a4e7 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@@ -85695,7 +85704,7 @@ index 2da9fca..b225fea 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +311,30 @@ kernel_signal(gssd_t)
+@@ -288,25 +311,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -85713,6 +85722,7 @@ index 2da9fca..b225fea 100644
+auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
++auth_login_manage_key(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -85729,7 +85739,7 @@ index 2da9fca..b225fea 100644
')
optional_policy(`
-@@ -314,9 +342,12 @@ optional_policy(`
+@@ -314,9 +343,12 @@ optional_policy(`
')
optional_policy(`
@@ -104639,10 +104649,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..b3bd64f 100644
+index a4f20bc..374e8ef 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,99 @@
+@@ -1,51 +1,101 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -104660,6 +104670,8 @@ index a4f20bc..b3bd64f 100644
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
@@ -104781,7 +104793,7 @@ index a4f20bc..b3bd64f 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..f6b8a09 100644
+index facdee8..2f7dfa1 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -106350,7 +106362,7 @@ index facdee8..f6b8a09 100644
##
##
##
-@@ -1069,21 +1131,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1131,29 @@ interface(`virt_manage_svirt_cache',`
##
##
#
@@ -106376,6 +106388,7 @@ index facdee8..f6b8a09 100644
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
++ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
+ ')
')
@@ -106387,7 +106400,7 @@ index facdee8..f6b8a09 100644
##
##
##
-@@ -1091,36 +1160,188 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1161,188 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -106594,7 +106607,7 @@ index facdee8..f6b8a09 100644
##
##
##
-@@ -1136,50 +1357,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1358,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fd4633f..3835fd8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 105.15%{?dist}
+Release: 105.16%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue May 19 2015 Lukas Vrabec 3.13.1-105.16
+- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
+- Allow antivirus_t to read system state info.BZ(1217616)
+- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
+- Clamd needs to have fsetid capability. BZ(1215308)
+- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
+- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
+- Allow gssd to access kernel keyring for login_pgm domains.
+- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
+- Fix description for seutil_search_config() interface.
+- Fix selinux_search_fs() interface.
+- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. BZ(1219045)
+- Add seutil_search_config() interface.
+- Allow login_pgm domains to access kernel keyring for nsswitch domains.
+
* Thu Apr 30 2015 Lukas Vrabec 3.13.1-105.15
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld