diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index c81dba5..c7bd805 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -127593,10 +127593,10 @@ index 4318f73..67baac4 100644
 +	')
 +')
 diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..72e7b08 100644
+index 078bcd7..dc5188e 100644
 --- a/policy/modules/services/ssh.fc
 +++ b/policy/modules/services/ssh.fc
-@@ -1,16 +1,38 @@
+@@ -1,16 +1,39 @@
  HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +HOME_DIR/\.shosts			gen_context(system_u:object_r:ssh_home_t,s0)
 +
@@ -127625,6 +127625,7 @@ index 078bcd7..72e7b08 100644
 +/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 +/usr/lib/systemd/system/sshd.*	--	gen_context(system_u:object_r:sshd_unit_file_t,s0)
 +
++/usr/libexec/nm-ssh-service     --  gen_context(system_u:object_r:ssh_exec_t,s0)
  /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
  
  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
@@ -136513,35 +136514,39 @@ index 0d4c8d3..0c32fb4 100644
  
  ########################################
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index a30840c..7fdc6c9 100644
+index a30840c..08d773d 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
-@@ -73,13 +73,15 @@ role system_r types setkey_t;
+@@ -72,14 +72,18 @@ role system_r types setkey_t;
+ # ipsec Local policy
  #
  
- allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
 -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice new_raw setuid };
 +dontaudit ipsec_t self:capability sys_tty_config;
  allow ipsec_t self:process { getcap setcap getsched signal setsched };
  allow ipsec_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_t self:udp_socket create_socket_perms;
++allow ipsec_t self:packet_socket create_socket_perms;
  allow ipsec_t self:key_socket create_socket_perms;
  allow ipsec_t self:fifo_file read_fifo_file_perms;
  allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
 +allow ipsec_t self:netlink_selinux_socket create_socket_perms;
 +allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write };
  
  allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
  
-@@ -113,6 +115,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+@@ -113,6 +117,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
  allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
  
  kernel_read_kernel_sysctls(ipsec_t)
-+kernel_read_net_sysctls(ipsec_t)
++kernel_rw_net_sysctls(ipsec_t)
  kernel_list_proc(ipsec_t)
  kernel_read_proc_symlinks(ipsec_t)
  # allow pluto to access /proc/net/ipsec_eroute;
-@@ -127,20 +130,21 @@ corecmd_exec_shell(ipsec_t)
+@@ -127,20 +132,22 @@ corecmd_exec_shell(ipsec_t)
  corecmd_exec_bin(ipsec_t)
  
  # Pluto needs network access
@@ -136563,6 +136568,7 @@ index a30840c..7fdc6c9 100644
  corenet_tcp_bind_isakmp_port(ipsec_t)
  corenet_udp_bind_isakmp_port(ipsec_t)
  corenet_udp_bind_ipsecnat_port(ipsec_t)
++corenet_udp_bind_dhcpc_port(ipsec_t)
  corenet_sendrecv_generic_server_packets(ipsec_t)
  corenet_sendrecv_isakmp_server_packets(ipsec_t)
 +corenet_tcp_connect_http_port(ipsec_t)
@@ -136570,7 +136576,7 @@ index a30840c..7fdc6c9 100644
  
  dev_read_sysfs(ipsec_t)
  dev_read_rand(ipsec_t)
-@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
+@@ -156,6 +163,8 @@ files_dontaudit_search_home(ipsec_t)
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
  
@@ -136579,7 +136585,7 @@ index a30840c..7fdc6c9 100644
  term_use_console(ipsec_t)
  term_dontaudit_use_all_ttys(ipsec_t)
  
-@@ -164,11 +170,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -164,11 +173,13 @@ auth_use_nsswitch(ipsec_t)
  init_use_fds(ipsec_t)
  init_use_script_ptys(ipsec_t)
  
@@ -136594,7 +136600,7 @@ index a30840c..7fdc6c9 100644
  
  userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
  userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,10 +194,10 @@ optional_policy(`
+@@ -186,10 +197,10 @@ optional_policy(`
  # ipsec_mgmt Local policy
  #
  
@@ -136609,7 +136615,7 @@ index a30840c..7fdc6c9 100644
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
  allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -209,6 +217,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -209,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -136617,7 +136623,7 @@ index a30840c..7fdc6c9 100644
  manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
  
  allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-@@ -245,6 +254,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -136634,7 +136640,7 @@ index a30840c..7fdc6c9 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -254,6 +273,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -254,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -136643,7 +136649,7 @@ index a30840c..7fdc6c9 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -136655,7 +136661,7 @@ index a30840c..7fdc6c9 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -289,15 +311,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -289,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
  logging_send_syslog_msg(ipsec_mgmt_t)
  
@@ -136679,7 +136685,27 @@ index a30840c..7fdc6c9 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -369,13 +394,12 @@ kernel_request_load_module(racoon_t)
+@@ -321,6 +349,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	l2tpd_read_pid_files(ipsec_mgmt_t)
++')
++
++optional_policy(`
+ 	modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+ 
+@@ -334,7 +366,7 @@ optional_policy(`
+ #
+ 
+ allow racoon_t self:capability { net_admin net_bind_service };
+-allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
++allow racoon_t self:netlink_route_socket { create_netlink_socket_perms };
+ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+ allow racoon_t self:netlink_selinux_socket { bind create read };
+ allow racoon_t self:udp_socket create_socket_perms;
+@@ -369,13 +401,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -136699,7 +136725,7 @@ index a30840c..7fdc6c9 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -400,10 +424,11 @@ locallogin_use_fds(racoon_t)
+@@ -400,10 +431,11 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -136712,7 +136738,7 @@ index a30840c..7fdc6c9 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -437,9 +462,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -437,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index ca460b6..4e67e07 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -3362,7 +3362,7 @@ index 6480167..c5be77c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 0833afb..e9f3f7f 100644
+index 0833afb..e0c6e38 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -4185,11 +4185,12 @@ index 0833afb..e9f3f7f 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -608,11 +1016,20 @@ optional_policy(`
+@@ -608,11 +1016,21 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	smokeping_read_lib_files(httpd_t)
++    smokeping_read_pid_files(httpd_t)
 +')
 +
 +optional_policy(`
@@ -4206,7 +4207,7 @@ index 0833afb..e9f3f7f 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -620,6 +1037,12 @@ optional_policy(`
+@@ -620,6 +1038,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -4219,7 +4220,7 @@ index 0833afb..e9f3f7f 100644
  ########################################
  #
  # Apache helper local policy
-@@ -633,7 +1056,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1057,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -4263,7 +4264,7 @@ index 0833afb..e9f3f7f 100644
  
  ########################################
  #
-@@ -671,28 +1129,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1130,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -4307,7 +4308,7 @@ index 0833afb..e9f3f7f 100644
  ')
  
  ########################################
-@@ -702,6 +1162,7 @@ optional_policy(`
+@@ -702,6 +1163,7 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -4315,7 +4316,7 @@ index 0833afb..e9f3f7f 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1177,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1178,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -4344,7 +4345,7 @@ index 0833afb..e9f3f7f 100644
  files_read_usr_files(httpd_suexec_t)
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
-@@ -738,15 +1207,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1208,14 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -4362,7 +4363,7 @@ index 0833afb..e9f3f7f 100644
  	corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
  	corenet_udp_sendrecv_generic_if(httpd_suexec_t)
  	corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1225,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1226,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -4395,7 +4396,7 @@ index 0833afb..e9f3f7f 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1272,25 @@ optional_policy(`
+@@ -786,6 +1273,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -4421,7 +4422,7 @@ index 0833afb..e9f3f7f 100644
  ########################################
  #
  # Apache system script local policy
-@@ -806,12 +1311,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1312,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -4439,7 +4440,7 @@ index 0833afb..e9f3f7f 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -820,18 +1330,51 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1331,51 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -4499,7 +4500,7 @@ index 0833afb..e9f3f7f 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1382,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1383,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -4540,7 +4541,7 @@ index 0833afb..e9f3f7f 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1422,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+@@ -854,15 +1423,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  
  optional_policy(`
  	clamav_domtrans_clamscan(httpd_sys_script_t)
@@ -4567,7 +4568,7 @@ index 0833afb..e9f3f7f 100644
  ')
  
  ########################################
-@@ -878,11 +1457,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1458,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
  kernel_dontaudit_list_proc(httpd_rotatelogs_t)
  kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
  
@@ -4579,7 +4580,7 @@ index 0833afb..e9f3f7f 100644
  
  ########################################
  #
-@@ -908,11 +1485,143 @@ optional_policy(`
+@@ -908,11 +1486,143 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -4945,7 +4946,7 @@ index 1ea99b2..0b668ae 100644
 +	ps_process_pattern($1, apmd_t)
  ')
 diff --git a/apm.te b/apm.te
-index 1c8c27e..4c09721 100644
+index 1c8c27e..53bc3f9 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -4996,16 +4997,25 @@ index 1c8c27e..4c09721 100644
  dev_read_realtime_clock(apmd_t)
  dev_read_urand(apmd_t)
  dev_rw_apm_bios(apmd_t)
-@@ -96,8 +103,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
- fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
- fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
- 
--selinux_search_fs(apmd_t)
+@@ -91,12 +98,11 @@ dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
+ fs_dontaudit_list_tmpfs(apmd_t)
+ fs_getattr_all_fs(apmd_t)
+ fs_search_auto_mountpoints(apmd_t)
+-fs_dontaudit_getattr_all_files(apmd_t) # Excessive?
+-fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+-fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+-fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
 -
+-selinux_search_fs(apmd_t)
++fs_dontaudit_getattr_all_files(apmd_t)
++fs_dontaudit_getattr_all_symlinks(apmd_t)
++fs_dontaudit_getattr_all_pipes(apmd_t)
++fs_dontaudit_getattr_all_sockets(apmd_t)
++fs_read_cgroup_files(apmd_t)
+ 
  corecmd_exec_all_executables(apmd_t)
  
- domain_read_all_domains_state(apmd_t)
-@@ -114,6 +119,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+@@ -114,6 +120,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
  files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
  files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
  
@@ -5014,7 +5024,7 @@ index 1c8c27e..4c09721 100644
  init_domtrans_script(apmd_t)
  init_rw_utmp(apmd_t)
  init_telinit(apmd_t)
-@@ -124,13 +131,12 @@ libs_exec_lib_files(apmd_t)
+@@ -124,13 +132,12 @@ libs_exec_lib_files(apmd_t)
  logging_send_syslog_msg(apmd_t)
  logging_send_audit_msgs(apmd_t)
  
@@ -5029,7 +5039,7 @@ index 1c8c27e..4c09721 100644
  
  userdom_dontaudit_use_unpriv_user_fds(apmd_t)
  userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +149,8 @@ ifdef(`distro_redhat',`
  
  	can_exec(apmd_t, apmd_var_run_t)
  
@@ -5040,7 +5050,7 @@ index 1c8c27e..4c09721 100644
  	')
  
  	optional_policy(`
-@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +161,15 @@ ifdef(`distro_redhat',`
  		netutils_domtrans(apmd_t)
  	')
  
@@ -5056,7 +5066,7 @@ index 1c8c27e..4c09721 100644
  ',`
  	# for ifconfig which is run all the time
  	kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +195,12 @@ optional_policy(`
+@@ -181,6 +196,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5069,7 +5079,7 @@ index 1c8c27e..4c09721 100644
  	dbus_system_bus_client(apmd_t)
  
  	optional_policy(`
-@@ -210,7 +230,11 @@ optional_policy(`
+@@ -210,7 +231,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -9243,10 +9253,10 @@ index 0000000..5977d96
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..89dc790
+index 0000000..3168658
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,205 @@
+@@ -0,0 +1,208 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -9351,8 +9361,11 @@ index 0000000..89dc790
 +sysnet_dns_name_resolve(chrome_sandbox_t)
 +
 +optional_policy(`
-+	gnome_rw_inherited_config(chrome_sandbox_t)
-+	gnome_read_home_config(chrome_sandbox_t)
++        gnome_rw_inherited_config(chrome_sandbox_t)
++        gnome_read_home_config(chrome_sandbox_t)
++        gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
++        gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
++
 +')
 +
 +optional_policy(`
@@ -9674,7 +9687,7 @@ index 9a0da94..113eae2 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index fa82327..bdd79af 100644
+index fa82327..d31e3a2 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -9696,7 +9709,7 @@ index fa82327..bdd79af 100644
  
 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
 -allow chronyd_t self:process { getcap setcap setrlimit };
-+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
 +allow chronyd_t self:process { getcap setcap setrlimit signal };
  allow chronyd_t self:shm create_shm_perms;
  allow chronyd_t self:udp_socket create_socket_perms;
@@ -10271,10 +10284,10 @@ index 6077339..d44d33f 100644
  	corosync_stream_connect(clogd_t)
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
-index 0000000..8a40857
+index 0000000..c63f70c
 --- /dev/null
 +++ b/cloudform.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,20 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 +
@@ -10285,16 +10298,14 @@ index 0000000..8a40857
 +/usr/share/aeolus-conductor/dbomatic/dbomatic	--	gen_context(system_u:object_r:mongod_exec_t,s0)
 +
 +/var/lib/iwhd(/.*)?             gen_context(system_u:object_r:iwhd_var_lib_t,s0)
-+/var/lib/mongodb(/.*)?		gen_context(system_u:object_r:mongod_var_lib_t,s0)
++/var/lib/mongo.*		gen_context(system_u:object_r:mongod_var_lib_t,s0)
 +
 +/var/log/deltacloud-core(/.*)?	gen_context(system_u:object_r:deltacloudd_log_t,s0)
 +/var/log/iwhd\.log.*		--		gen_context(system_u:object_r:iwhd_log_t,s0)
-+/var/log/mongodb(/.*)?		gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo(/.*)?      gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo/mongod\.log.*	--	gen_context(system_u:object_r:mongod_log_t,s0)	
++/var/log/mongo.*		gen_context(system_u:object_r:mongod_log_t,s0)
 +/var/log/aeolus-conductor/dbomatic\.log.*	--	gen_context(system_u:object_r:mongod_log_t,s0)
 +
-+/var/run/mongodb(/.*)?		gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/mongo.*		gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/iwhd\.pid               --      gen_context(system_u:object_r:iwhd_var_run_t,s0)
 diff --git a/cloudform.if b/cloudform.if
@@ -15427,7 +15438,7 @@ index 305ddf4..ca832e1 100644
 +	ps_process_pattern($1, cupsd_t)
  ')
 diff --git a/cups.te b/cups.te
-index e5a8924..7f7e8e2 100644
+index e5a8924..19cc813 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -1,22 +1,28 @@
@@ -16017,11 +16028,11 @@ index e5a8924..7f7e8e2 100644
 -	kerberos_use(cupsd_lpd_t)
 -')
 -#end for identd
- 
+-
 -allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
 -read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
 -read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
--
+ 
 -allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
 -read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
 -read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
@@ -16054,10 +16065,10 @@ index e5a8924..7f7e8e2 100644
 -corenet_tcp_bind_generic_node(cupsd_lpd_t)
 -corenet_udp_bind_generic_node(cupsd_lpd_t)
 -corenet_tcp_connect_ipp_port(cupsd_lpd_t)
- 
+-
 -dev_read_urand(cupsd_lpd_t)
 -dev_read_rand(cupsd_lpd_t)
--
+ 
 -fs_getattr_xattr_fs(cupsd_lpd_t)
 +corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
 +corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -16122,7 +16133,7 @@ index e5a8924..7f7e8e2 100644
 -
 -lpd_manage_spool(cups_pdf_t)
 -
-+userdom_home_filetrans_user_home_dir(cups_pdf_t)
++userdom_filetrans_home_content(cups_pdf_t)
  
  tunable_policy(`use_nfs_home_dirs',`
 -	fs_search_auto_mountpoints(cups_pdf_t)
@@ -21186,10 +21197,10 @@ index 0000000..a446210
 +')
 diff --git a/dspam.te b/dspam.te
 new file mode 100644
-index 0000000..16a781c
+index 0000000..697222c
 --- /dev/null
 +++ b/dspam.te
-@@ -0,0 +1,136 @@
+@@ -0,0 +1,141 @@
 +
 +policy_module(dspam, 1.0.0)
 +
@@ -21252,6 +21263,10 @@ index 0000000..16a781c
 +
 +auth_use_nsswitch(dspam_t)
 +
++kernel_read_system_state(dspam_t)
++
++corecmd_exec_shell(dspam_t)
++
 +files_search_spool(dspam_t)
 +
 +# for RHEL5
@@ -21321,6 +21336,7 @@ index 0000000..16a781c
 +
 +optional_policy(`
 +    postfix_rw_master_pipes(dspam_t)
++    postfix_list_spool(dspam_t)
 +')
 +
 +optional_policy(`
@@ -21804,10 +21820,10 @@ index f590a1f..b1b13b0 100644
 +	admin_pattern($1, fail2ban_tmp_t)
  ')
 diff --git a/fail2ban.te b/fail2ban.te
-index 2a69e5e..5dccf2c 100644
+index 2a69e5e..66b02d1 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
-@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
+@@ -23,20 +23,27 @@ files_type(fail2ban_var_lib_t)
  type fail2ban_var_run_t;
  files_pid_file(fail2ban_var_run_t)
  
@@ -21825,11 +21841,12 @@ index 2a69e5e..5dccf2c 100644
  #
  
 -allow fail2ban_t self:capability { sys_tty_config };
+-allow fail2ban_t self:process signal;
 +allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
- allow fail2ban_t self:process signal;
++allow fail2ban_t self:process { setsched signal };
  allow fail2ban_t self:fifo_file rw_fifo_file_perms;
  allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
  allow fail2ban_t self:tcp_socket create_stream_socket_perms;
  
  # log files
@@ -21866,7 +21883,7 @@ index 2a69e5e..5dccf2c 100644
  files_read_etc_runtime_files(fail2ban_t)
  files_read_usr_files(fail2ban_t)
  files_list_var(fail2ban_t)
-@@ -81,10 +92,11 @@ auth_use_nsswitch(fail2ban_t)
+@@ -81,18 +92,74 @@ auth_use_nsswitch(fail2ban_t)
  logging_read_all_logs(fail2ban_t)
  logging_send_syslog_msg(fail2ban_t)
  
@@ -21880,7 +21897,18 @@ index 2a69e5e..5dccf2c 100644
  optional_policy(`
  	apache_read_log(fail2ban_t)
  ')
-@@ -94,5 +106,43 @@ optional_policy(`
+ 
+ optional_policy(`
++	dbus_system_bus_client(fail2ban_t)
++	dbus_connect_system_bus(fail2ban_t)
++
++	optional_policy(`
++		firewalld_dbus_chat(fail2ban_t)
++	')
++')
++
++optional_policy(`
+ 	ftp_read_log(fail2ban_t)
  ')
  
  optional_policy(`
@@ -21896,6 +21924,10 @@ index 2a69e5e..5dccf2c 100644
 +')
 +
 +optional_policy(`
++	rpm_exec(fail2ban_t)
++')
++
++optional_policy(`
 +	shorewall_domtrans(fail2ban_t)
 +')
 +
@@ -21917,8 +21949,12 @@ index 2a69e5e..5dccf2c 100644
 +files_read_usr_files(fail2ban_client_t)
 +files_search_pids(fail2ban_client_t)
 +
-+auth_read_passwd(fail2ban_client_t)
++dev_read_urand(fail2ban_client_t)
++dev_read_rand(fail2ban_client_t)
++
++domain_use_interactive_fds(fail2ban_client_t)
 +
++auth_read_passwd(fail2ban_client_t)
 +
 +optional_policy(`
 +	gnome_dontaudit_search_config(fail2ban_client_t)
@@ -30443,7 +30479,7 @@ index d6af9b0..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index 0c52f60..0ea64e7 100644
+index 0c52f60..8f16603 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
 @@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0)
@@ -30489,7 +30525,7 @@ index 0c52f60..0ea64e7 100644
  files_etc_filetrans_etc_runtime(kdumpgui_t, file)
  files_read_usr_files(kdumpgui_t)
  
-+fs_read_dos_files(kdumpgui_t)
++fs_manage_dos_files(kdumpgui_t)
 +fs_getattr_all_fs(kdumpgui_t)
 +fs_list_hugetlbfs(kdumpgui_t)
 +
@@ -34635,7 +34671,7 @@ index 56c43c0..409bbfc 100644
 +
 +/var/run/mcelog.*	 	gen_context(system_u:object_r:mcelog_var_run_t,s0)
 diff --git a/mcelog.te b/mcelog.te
-index 5671977..99a63b2 100644
+index 5671977..4816760 100644
 --- a/mcelog.te
 +++ b/mcelog.te
 @@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -34681,7 +34717,7 @@ index 5671977..99a63b2 100644
  # for /dev/mem access
  mls_file_read_all_levels(mcelog_t)
  
-+auth_read_passwd(mcelog_t)
++auth_use_nsswitch(mcelog_t)
 +
  logging_send_syslog_msg(mcelog_t)
  
@@ -35997,6 +36033,71 @@ index 83f002c..d09878d 100644
 +		postgresql_stream_connect(httpd_mojomojo_script_t)
 +	')
  ')
+diff --git a/mongodb.te b/mongodb.te
+new file mode 100644
+index 0000000..7bd7e35
+--- /dev/null
++++ b/mongodb.te
+@@ -0,0 +1,59 @@
++policy_module(mongodb, 1.0.2)
++
++########################################
++#
++# Declarations
++#
++
++type mongod_t;
++type mongod_exec_t;
++init_daemon_domain(mongod_t, mongod_exec_t)
++
++type mongod_initrc_exec_t;
++init_script_file(mongod_initrc_exec_t)
++
++type mongod_log_t;
++logging_log_file(mongod_log_t)
++
++type mongod_var_lib_t;
++files_type(mongod_var_lib_t)
++
++type mongod_var_run_t;
++files_pid_file(mongod_var_run_t)
++
++########################################
++#
++# Local policy
++#
++
++allow mongod_t self:process signal;
++allow mongod_t self:fifo_file rw_fifo_file_perms;
++
++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
++append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++logging_log_filetrans(mongod_t, mongod_log_t, dir)
++
++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
++
++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
++
++kernel_read_system_state(mongod_t)
++
++corenet_all_recvfrom_unlabeled(mongod_t)
++corenet_all_recvfrom_netlabel(mongod_t)
++corenet_tcp_sendrecv_generic_if(mongod_t)
++corenet_tcp_sendrecv_generic_node(mongod_t)
++corenet_tcp_connect_mongod_port(mongod_t)
++corenet_tcp_bind_generic_node(mongod_t)
++
++dev_read_sysfs(mongod_t)
++dev_read_urand(mongod_t)
++
++fs_getattr_all_fs(mongod_t)
++
 diff --git a/mono.te b/mono.te
 index dff0f12..ecab36d 100644
 --- a/mono.te
@@ -36103,7 +36204,7 @@ index 3a73e74..77c8857 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index b397fde..1831369 100644
+index b397fde..18263e1 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -18,10 +18,11 @@
@@ -36381,13 +36482,13 @@ index b397fde..1831369 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
-+	#userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "POkemon Advanced Adventure")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
 +	gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
 +')
 +
 diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..20b133f 100644
+index d4fcb75..1b888e9 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -7,19 +7,41 @@ policy_module(mozilla, 2.6.0)
@@ -36567,7 +36668,7 @@ index d4fcb75..20b133f 100644
  	pulseaudio_stream_connect(mozilla_t)
  	pulseaudio_manage_home_files(mozilla_t)
  ')
-@@ -297,65 +325,109 @@ optional_policy(`
+@@ -297,65 +325,111 @@ optional_policy(`
  # mozilla_plugin local policy
  #
  
@@ -36580,6 +36681,7 @@ index d4fcb75..20b133f 100644
 +
 +allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
 +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++allow mozilla_plugin_t self:netlink_socket create_socket_perms;
  allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
  allow mozilla_plugin_t self:udp_socket create_socket_perms;
 -allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -36669,6 +36771,7 @@ index d4fcb75..20b133f 100644
 +corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
 +corenet_tcp_connect_monopd_port(mozilla_plugin_t)
 +corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
++corenet_tcp_connect_whois_port(mozilla_plugin_t)
 +corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
 +corenet_tcp_bind_generic_node(mozilla_plugin_t)
 +corenet_udp_bind_generic_node(mozilla_plugin_t)
@@ -36692,7 +36795,7 @@ index d4fcb75..20b133f 100644
  
  domain_use_interactive_fds(mozilla_plugin_t)
  domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +435,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +437,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
  files_read_config_files(mozilla_plugin_t)
  files_read_usr_files(mozilla_plugin_t)
  files_list_mnt(mozilla_plugin_t)
@@ -36776,7 +36879,7 @@ index d4fcb75..20b133f 100644
  ')
  
  optional_policy(`
-@@ -420,37 +499,174 @@ optional_policy(`
+@@ -420,37 +501,180 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36832,21 +36935,21 @@ index d4fcb75..20b133f 100644
 +	pulseaudio_manage_home_dirs(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
 +	pulseaudio_manage_home_symlinks(mozilla_plugin_t)
- ')
- 
- optional_policy(`
-+	pcscd_stream_connect(mozilla_plugin_t)
 +')
 +
 +optional_policy(`
-+	rtkit_scheduled(mozilla_plugin_t)
++	pcscd_stream_connect(mozilla_plugin_t)
 +')
 +
 +optional_policy(`
-+	udev_read_db(mozilla_plugin_t)
++	rtkit_scheduled(mozilla_plugin_t)
 +')
 +
 +optional_policy(`
++	udev_read_db(mozilla_plugin_t)
+ ')
+ 
+ optional_policy(`
 +	xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
 +	xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
  	xserver_read_xdm_pid(mozilla_plugin_t)
@@ -36891,6 +36994,12 @@ index d4fcb75..20b133f 100644
 +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +
++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
++userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
++
 +corecmd_exec_bin(mozilla_plugin_config_t)
 +corecmd_exec_shell(mozilla_plugin_config_t)
 +
@@ -39748,7 +39857,7 @@ index 1cf05a3..8855ea2 100644
  
  userdom_getattr_user_home_dirs(mysqlmanagerd_t)
 diff --git a/nagios.fc b/nagios.fc
-index 1238f2e..9590368 100644
+index 1238f2e..a00cc2d 100644
 --- a/nagios.fc
 +++ b/nagios.fc
 @@ -6,7 +6,7 @@
@@ -39760,7 +39869,7 @@ index 1238f2e..9590368 100644
  /usr/lib/nagios/cgi(/.*)?				gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
  
  /var/log/nagios(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
-@@ -19,70 +19,75 @@
+@@ -19,70 +19,79 @@
  ifdef(`distro_debian',`
  /usr/sbin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
  ')
@@ -39858,6 +39967,10 @@ index 1238f2e..9590368 100644
  
 -# unconfined plugins
 -/usr/lib/nagios/plugins/check_by_ssh		--	gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++# openshift plugins
++/usr/lib64/nagios/plugins/check_node_accept_status      --      gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
++/usr/lib64/nagios/plugins/check_number_openshift_apps        --      gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
++
 +# label all nagios plugin as unconfined by default
 +/usr/lib/nagios/plugins/.*	--	gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
 +
@@ -39962,7 +40075,7 @@ index 8581040..d7d9a79 100644
  	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/nagios.te b/nagios.te
-index c3e2a2d..9366991 100644
+index c3e2a2d..8beada7 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0)
@@ -39986,18 +40099,26 @@ index c3e2a2d..9366991 100644
  
  nagios_plugin_template(admin)
  nagios_plugin_template(checkdisk)
-@@ -33,6 +38,10 @@ nagios_plugin_template(mail)
+@@ -33,10 +38,18 @@ nagios_plugin_template(mail)
  nagios_plugin_template(services)
  nagios_plugin_template(system)
  nagios_plugin_template(unconfined)
 +nagios_plugin_template(eventhandler)
++nagios_plugin_template(openshift)
 +
 +type nagios_eventhandler_plugin_tmp_t;
 +files_tmp_file(nagios_eventhandler_plugin_tmp_t)
  
  type nagios_system_plugin_tmp_t;
  files_tmp_file(nagios_system_plugin_tmp_t)
-@@ -77,13 +86,17 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+ 
++type nagios_openshift_plugin_tmp_t;
++files_tmp_file(nagios_openshift_plugin_tmp_t)
++
+ type nrpe_t;
+ type nrpe_exec_t;
+ init_daemon_domain(nrpe_t, nrpe_exec_t)
+@@ -77,13 +90,17 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
  manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
  files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
  
@@ -40016,7 +40137,7 @@ index c3e2a2d..9366991 100644
  corenet_all_recvfrom_netlabel(nagios_t)
  corenet_tcp_sendrecv_generic_if(nagios_t)
  corenet_udp_sendrecv_generic_if(nagios_t)
-@@ -103,31 +116,27 @@ domain_use_interactive_fds(nagios_t)
+@@ -103,31 +120,27 @@ domain_use_interactive_fds(nagios_t)
  # for ps
  domain_read_all_domains_state(nagios_t)
  
@@ -40051,7 +40172,7 @@ index c3e2a2d..9366991 100644
  	netutils_kill_ping(nagios_t)
  ')
  
-@@ -143,6 +152,7 @@ optional_policy(`
+@@ -143,6 +156,7 @@ optional_policy(`
  #
  # Nagios CGI local policy
  #
@@ -40059,7 +40180,7 @@ index c3e2a2d..9366991 100644
  optional_policy(`
  	apache_content_template(nagios)
  	typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -180,29 +190,31 @@ optional_policy(`
+@@ -180,29 +194,31 @@ optional_policy(`
  #
  
  allow nrpe_t self:capability { setuid setgid };
@@ -40095,7 +40216,7 @@ index c3e2a2d..9366991 100644
  
  dev_read_sysfs(nrpe_t)
  dev_read_urand(nrpe_t)
-@@ -211,7 +223,7 @@ domain_use_interactive_fds(nrpe_t)
+@@ -211,7 +227,7 @@ domain_use_interactive_fds(nrpe_t)
  domain_read_all_domains_state(nrpe_t)
  
  files_read_etc_runtime_files(nrpe_t)
@@ -40104,7 +40225,7 @@ index c3e2a2d..9366991 100644
  
  fs_getattr_all_fs(nrpe_t)
  fs_search_auto_mountpoints(nrpe_t)
-@@ -220,7 +232,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -220,7 +236,6 @@ auth_use_nsswitch(nrpe_t)
  
  logging_send_syslog_msg(nrpe_t)
  
@@ -40112,7 +40233,7 @@ index c3e2a2d..9366991 100644
  
  userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
  
-@@ -252,11 +263,9 @@ optional_policy(`
+@@ -252,11 +267,9 @@ optional_policy(`
  corecmd_read_bin_files(nagios_admin_plugin_t)
  corecmd_read_bin_symlinks(nagios_admin_plugin_t)
  
@@ -40124,7 +40245,7 @@ index c3e2a2d..9366991 100644
  # for check_file_age plugin
  files_getattr_all_dirs(nagios_admin_plugin_t)
  files_getattr_all_files(nagios_admin_plugin_t)
-@@ -271,20 +280,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -271,20 +284,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -40145,7 +40266,7 @@ index c3e2a2d..9366991 100644
  
  logging_send_syslog_msg(nagios_mail_plugin_t)
  
-@@ -300,7 +304,7 @@ optional_policy(`
+@@ -300,7 +308,7 @@ optional_policy(`
  
  optional_policy(`
  	postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -40154,7 +40275,7 @@ index c3e2a2d..9366991 100644
  ')
  
  ######################################
-@@ -311,7 +315,11 @@ optional_policy(`
+@@ -311,7 +319,11 @@ optional_policy(`
  # needed by ioctl()
  allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
@@ -40167,7 +40288,7 @@ index c3e2a2d..9366991 100644
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
  fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,11 +331,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,11 +335,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  # local policy for service check plugins
  #
  
@@ -40181,7 +40302,7 @@ index c3e2a2d..9366991 100644
  
  corecmd_exec_bin(nagios_services_plugin_t)
  
-@@ -342,10 +350,13 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -342,10 +354,13 @@ files_read_usr_files(nagios_services_plugin_t)
  
  optional_policy(`
  	netutils_domtrans_ping(nagios_services_plugin_t)
@@ -40195,7 +40316,7 @@ index c3e2a2d..9366991 100644
  ')
  
  optional_policy(`
-@@ -365,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -365,6 +380,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
@@ -40204,7 +40325,7 @@ index c3e2a2d..9366991 100644
  kernel_read_system_state(nagios_system_plugin_t)
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
-@@ -372,11 +385,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
+@@ -372,11 +389,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
  corecmd_exec_shell(nagios_system_plugin_t)
  
  dev_read_sysfs(nagios_system_plugin_t)
@@ -40220,7 +40341,7 @@ index c3e2a2d..9366991 100644
  
  # needed by check_users plugin
  optional_policy(`
-@@ -391,3 +406,48 @@ optional_policy(`
+@@ -391,3 +410,70 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(nagios_unconfined_plugin_t)
  ')
@@ -40249,6 +40370,28 @@ index c3e2a2d..9366991 100644
 +
 +######################################
 +#
++# nagios openshift plugin policy
++#
++
++allow nagios_openshift_plugin_t self:capability sys_ptrace;
++
++manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
++manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
++files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir })
++
++corecmd_exec_bin(nagios_openshift_plugin_t)
++corecmd_exec_shell(nagios_openshift_plugin_t)
++
++domain_read_all_domains_state(nagios_openshift_plugin_t)
++
++fs_getattr_all_fs(nagios_openshift_plugin_t)
++
++optional_policy(`
++        apache_read_config(nagios_openshift_plugin_t)
++')
++
++######################################
++#
 +# nagios plugin domain policy
 +#
 +
@@ -46244,10 +46387,10 @@ index 0000000..448e42b
 +')
 diff --git a/openvswitch.te b/openvswitch.te
 new file mode 100644
-index 0000000..fd89b37
+index 0000000..e1dbfa6
 --- /dev/null
 +++ b/openvswitch.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,97 @@
 +policy_module(openvswitch, 1.0.0)
 +
 +########################################
@@ -46279,7 +46422,8 @@ index 0000000..fd89b37
 +# openvswitch local policy
 +#
 +
-+allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource };
++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
++allow openvswitch_t self:capability2 block_suspend;
 +allow openvswitch_t self:process { fork setsched setrlimit signal };
 +allow openvswitch_t self:fifo_file rw_fifo_file_perms;
 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -46317,6 +46461,7 @@ index 0000000..fd89b37
 +
 +dev_read_rand(openvswitch_t)
 +dev_read_urand(openvswitch_t)
++dev_read_sysfs(openvswitch_t)
 +
 +domain_use_interactive_fds(openvswitch_t)
 +
@@ -46340,6 +46485,9 @@ index 0000000..fd89b37
 +	iptables_domtrans(openvswitch_t)
 +')
 +
++optional_policy(`
++    plymouthd_exec_plymouth(openvswitch_t)
++')
 diff --git a/pacemaker.fc b/pacemaker.fc
 new file mode 100644
 index 0000000..3793461
@@ -67141,7 +67289,7 @@ index c117e8b..0eb909b 100644
 +	files_list_pids($1)
  ')
 diff --git a/snort.te b/snort.te
-index 179bc1b..3dbbcc0 100644
+index 179bc1b..1c05200 100644
 --- a/snort.te
 +++ b/snort.te
 @@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t)
@@ -67174,7 +67322,13 @@ index 179bc1b..3dbbcc0 100644
  corenet_all_recvfrom_netlabel(snort_t)
  corenet_tcp_sendrecv_generic_if(snort_t)
  corenet_udp_sendrecv_generic_if(snort_t)
-@@ -95,8 +95,6 @@ init_read_utmp(snort_t)
+@@ -91,12 +91,12 @@ files_dontaudit_read_etc_runtime_files(snort_t)
+ fs_getattr_all_fs(snort_t)
+ fs_search_auto_mountpoints(snort_t)
+ 
++auth_read_passwd(snort_t)
++
+ init_read_utmp(snort_t)
  
  logging_send_syslog_msg(snort_t)
  
@@ -78672,10 +78826,10 @@ index 0000000..b34b8b4
 +
 diff --git a/zoneminder.te b/zoneminder.te
 new file mode 100644
-index 0000000..a98b795
+index 0000000..10e42ad
 --- /dev/null
 +++ b/zoneminder.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,167 @@
 +policy_module(zoneminder, 1.0.0)
 +
 +########################################
@@ -78685,6 +78839,14 @@ index 0000000..a98b795
 +
 +## <desc>
 +## <p>
++## Allow ZoneMinder to run su/sudo.
++## </p>
++## </desc>
++gen_tunable(zoneminder_run_sudo, false)
++
++
++## <desc>
++## <p>
 +## Allow ZoneMinder to modify public files
 +## used for public file transfer services.
 +## </p>
@@ -78735,7 +78897,8 @@ index 0000000..a98b795
 +manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
 +manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
 +manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
++manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file })
 +
 +manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
 +manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
@@ -78748,6 +78911,8 @@ index 0000000..a98b795
 +
 +kernel_read_system_state(zoneminder_t)
 +
++domain_read_all_domains_state(zoneminder_t)
++
 +corecmd_exec_bin(zoneminder_t)
 +corecmd_exec_shell(zoneminder_t)
 +
@@ -78761,16 +78926,45 @@ index 0000000..a98b795
 +dev_read_video_dev(zoneminder_t)
 +dev_write_video_dev(zoneminder_t)
 +
-+files_read_usr_files(zoneminder_t)
-+
 +auth_use_nsswitch(zoneminder_t)
 +
 +logging_send_syslog_msg(zoneminder_t)
++logging_send_audit_msgs(zoneminder_t)
++
++mta_send_mail(zoneminder_t)
 +
 +tunable_policy(`zoneminder_anon_write',`
 +	miscfiles_manage_public_files(zoneminder_t)
 +')
 +
++tunable_policy(`zoneminder_run_sudo',`
++    allow zoneminder_t self:capability { setrlimit setuid setgid sys_resource }
++    allow zoneminder_t self:key write;
++    allow zoneminder_t self:process setsched;
++    allow zoneminder_t self:passwd rootok;
++
++    auth_rw_lastlog(zoneminder_t)
++
++    selinux_compute_access_vector(zoneminder_t)
++
++    systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
++    systemd_dbus_chat_logind(zoneminder_t)
++
++    xserver_exec_xauth(zoneminder_t)
++')
++
++optional_policy(`
++    tunable_policy(`zoneminder_run_sudo',`
++        dbus_system_bus_client(zoneminder_t)
++    ')
++')
++
++optional_policy(`
++    tunable_policy(`zoneminder_run_sudo',`
++        sudo_exec(zoneminder_t)
++        su_exec(zoneminder_t)
++    ')
++')
 +optional_policy(`
 +	mysql_stream_connect(zoneminder_t)
 +')
@@ -78787,7 +78981,12 @@ index 0000000..a98b795
 +	#allow httpd_zoneminder_script_t self:shm create_shm_perms;
 +
 +	manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++
++    rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++
 +	zoneminder_stream_connect(httpd_zoneminder_script_t)
++
++    can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
 +	
 +	files_search_var_lib(httpd_zoneminder_script_t)
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0b52254..9b115ed 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 98%{?dist}
+Release: 99%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,40 @@ SELinux Reference policy mls base module.
 %endif
 
 %Changelog
+* Fri Aug 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-99
+- Allow snort to read /etc/passwd
+- I guess mcelog using getpw calls
+- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket
+- Add additional fixes to make DSPAM with LDA workin
+- Allow cups_pdf_t to create home content
+- Allow fail2ban to communicate with firewalld over dbus
+- Cleanup openvswitch policy
+- Allow openvswitch to read sys and execute plymouth
+- Allow mozilla_plugin_config_t to create tmp files
+- Allow apache to access smokeping pid files
+- Call th proper interface
+- Allow mozilla-plugin to connect to whois port
+- Back port zoneminder policy
+- Add support for nagios openshift plugins
+- s/IBMERS/.IBMERS/
+- Back port chrome_sandbox_t fixes for #984208
+- Allow kdumpgui to write dos files for /boot/efi/EFI/fedora/grub.cfg
+- Fix label of mongodb in cloudform package
+- Add labeling for /usr/libexec/nm-ssh-service
+- Add additional fixes to make strongswan working with a simple conf
+- Allow ipsec_mgmt_t to read l2tpd pid content
+- Remove multiple spec
+- Add additional fix for xserver.fc
+- Fix labeling for lightdm-razor binaries
+- Add defintion for vfio_device_t
+- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
+- Allow goolgle badly built libraries into /opt/google/*
+- Additional fix for domain.te
+- Fix domain.te
+- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream
+- Allow to create .mplayer with the correct labeling for unconfined
+- Allow iscsiadmin to create lock file with the correct labeling
+
 * Tue Jun 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-97
 - Make DSPAM to act as a LDA working
 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example)