diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 8b9cda6..2c5b246 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5083,7 +5083,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..73d7b76 100644
+index 4edc40d..2b87328 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5308,7 +5308,7 @@ index 4edc40d..73d7b76 100644
  network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +254,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +254,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5337,6 +5337,7 @@ index 4edc40d..73d7b76 100644
  network_port(sap, tcp,9875,s0, udp,9875,s0)
 +network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
  network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
++network_port(sge, tcp,6444,s0, tcp,6445,s0)
  network_port(sieve, tcp,4190,s0)
  network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
  network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
@@ -5356,7 +5357,7 @@ index 4edc40d..73d7b76 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +300,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +301,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5367,7 +5368,7 @@ index 4edc40d..73d7b76 100644
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(ups, tcp,3493,s0)
-@@ -268,10 +312,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +313,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5380,7 +5381,7 @@ index 4edc40d..73d7b76 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +336,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +337,16 @@ network_port(zope, tcp,8021,s0)
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
  # these entries just cover any remaining reserved ports not otherwise declared.
  
@@ -5399,7 +5400,7 @@ index 4edc40d..73d7b76 100644
  
  ########################################
  #
-@@ -330,6 +378,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +379,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5408,7 +5409,7 @@ index 4edc40d..73d7b76 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -342,9 +392,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +393,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -33648,7 +33649,7 @@ index 6944526..ec17624 100644
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..9a50b11 100644
+index b7686d5..50102d0 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -33809,7 +33810,7 @@ index b7686d5..9a50b11 100644
  	hotplug_getattr_config_dirs(dhcpc_t)
  	hotplug_search_config(dhcpc_t)
  
-@@ -190,23 +212,35 @@ optional_policy(`
+@@ -190,23 +212,36 @@ optional_policy(`
  optional_policy(`
  	netutils_run_ping(dhcpc_t, dhcpc_roles)
  	netutils_run(dhcpc_t, dhcpc_roles)
@@ -33824,6 +33825,7 @@ index b7686d5..9a50b11 100644
 +	networkmanager_domtrans(dhcpc_t)
 +	networkmanager_read_pid_files(dhcpc_t)
 +	networkmanager_manage_lib(dhcpc_t)
++    networkmanager_stream_connect(dhcpc_t)
 +')
 +
 +optional_policy(`
@@ -33845,7 +33847,7 @@ index b7686d5..9a50b11 100644
  ')
  
  optional_policy(`
-@@ -216,7 +250,11 @@ optional_policy(`
+@@ -216,7 +251,11 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
@@ -33858,7 +33860,7 @@ index b7686d5..9a50b11 100644
  ')
  
  optional_policy(`
-@@ -259,6 +297,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,6 +298,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -33866,7 +33868,7 @@ index b7686d5..9a50b11 100644
  # for /sbin/ip
  allow ifconfig_t self:packet_socket create_socket_perms;
  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -277,11 +316,20 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -277,11 +317,20 @@ corenet_rw_tun_tap_dev(ifconfig_t)
  dev_read_sysfs(ifconfig_t)
  # for IPSEC setup:
  dev_read_urand(ifconfig_t)
@@ -33887,7 +33889,7 @@ index b7686d5..9a50b11 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +342,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +343,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -33915,7 +33917,7 @@ index b7686d5..9a50b11 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -318,7 +366,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +367,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -33938,7 +33940,7 @@ index b7686d5..9a50b11 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -329,8 +392,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +393,7 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -33948,7 +33950,7 @@ index b7686d5..9a50b11 100644
  ')
  
  optional_policy(`
-@@ -339,7 +401,11 @@ optional_policy(`
+@@ -339,7 +402,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33961,7 +33963,7 @@ index b7686d5..9a50b11 100644
  ')
  
  optional_policy(`
-@@ -360,3 +426,9 @@ optional_policy(`
+@@ -360,3 +427,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 17919d9..6a2197b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -516,7 +516,7 @@ index 058d908..702b716 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index cc43d25..563c773 100644
+index cc43d25..7722b79 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -1,4 +1,4 @@
@@ -525,7 +525,7 @@ index cc43d25..563c773 100644
  
  ########################################
  #
-@@ -6,105 +6,115 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
  #
  
  ## <desc>
@@ -585,6 +585,7 @@ index cc43d25..563c773 100644
  type abrt_var_cache_t;
  files_type(abrt_var_cache_t)
 +files_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_file(abrt_var_cache_t)
  
 +# pid files
  type abrt_var_run_t;
@@ -684,7 +685,7 @@ index cc43d25..563c773 100644
  manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
  logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  
-@@ -112,23 +122,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -713,7 +714,7 @@ index cc43d25..563c773 100644
  kernel_request_load_module(abrt_t)
  kernel_rw_kernel_sysctl(abrt_t)
  
-@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
  corecmd_read_all_executables(abrt_t)
  
  corenet_all_recvfrom_netlabel(abrt_t)
@@ -732,7 +733,7 @@ index cc43d25..563c773 100644
  
  dev_getattr_all_chr_files(abrt_t)
  dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +174,36 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -772,7 +773,7 @@ index cc43d25..563c773 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +211,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -789,7 +790,7 @@ index cc43d25..563c773 100644
  ')
  
  optional_policy(`
-@@ -209,6 +222,12 @@ optional_policy(`
+@@ -209,6 +223,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -802,7 +803,7 @@ index cc43d25..563c773 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -220,6 +239,7 @@ optional_policy(`
+@@ -220,6 +240,7 @@ optional_policy(`
  	corecmd_exec_all_executables(abrt_t)
  ')
  
@@ -810,7 +811,7 @@ index cc43d25..563c773 100644
  optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +250,7 @@ optional_policy(`
+@@ -230,6 +251,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -818,7 +819,7 @@ index cc43d25..563c773 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -240,9 +261,17 @@ optional_policy(`
+@@ -240,9 +262,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -837,7 +838,7 @@ index cc43d25..563c773 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +283,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -852,7 +853,7 @@ index cc43d25..563c773 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +302,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -860,7 +861,7 @@ index cc43d25..563c773 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +311,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -881,7 +882,7 @@ index cc43d25..563c773 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +332,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -908,7 +909,7 @@ index cc43d25..563c773 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +368,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -922,7 +923,7 @@ index cc43d25..563c773 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +385,11 @@ optional_policy(`
+@@ -330,10 +386,11 @@ optional_policy(`
  
  #######################################
  #
@@ -936,7 +937,7 @@ index cc43d25..563c773 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +409,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -978,7 +979,7 @@ index cc43d25..563c773 100644
  kernel_read_kernel_sysctls(abrt_dump_oops_t)
  kernel_read_ring_buffer(abrt_dump_oops_t)
  
-@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +449,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
  fs_list_inotifyfs(abrt_dump_oops_t)
  
  logging_read_generic_logs(abrt_dump_oops_t)
@@ -996,7 +997,7 @@ index cc43d25..563c773 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +466,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
@@ -10356,10 +10357,10 @@ index 0000000..5977d96
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..41d3959
+index 0000000..7267a85
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,222 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -10393,6 +10394,7 @@ index 0000000..41d3959
 +#
 +# chrome_sandbox local policy
 +#
++allow chrome_sandbox_t self:capability2 block_suspend;
 +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
 +dontaudit chrome_sandbox_t self:capability sys_nice;
 +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
@@ -10429,6 +10431,7 @@ index 0000000..41d3959
 +corecmd_exec_bin(chrome_sandbox_t)
 +
 +corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_aol_port(chrome_sandbox_t)
 +corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
 +corenet_tcp_connect_flash_port(chrome_sandbox_t)
 +corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
@@ -11601,16 +11604,26 @@ index cc4e7cb..f348d27 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cmirrord_initrc_exec_t system_r;
 diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..0046a69 100644
+index d8e9958..d2303a4 100644
 --- a/cmirrord.te
 +++ b/cmirrord.te
-@@ -42,16 +42,12 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+ # Local policy
+ #
+ 
+-allow cmirrord_t self:capability { net_admin kill };
++allow cmirrord_t self:capability { sys_admin net_admin kill };
+ dontaudit cmirrord_t self:capability sys_tty_config;
+ allow cmirrord_t self:process { setfscreate signal };
+ allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
  domain_use_interactive_fds(cmirrord_t)
  domain_obj_id_change_exemption(cmirrord_t)
  
 -files_read_etc_files(cmirrord_t)
 -
  storage_create_fixed_disk_dev(cmirrord_t)
++storage_rw_inherited_fixed_disk_dev(cmirrord_t)
  
  seutil_read_file_contexts(cmirrord_t)
  
@@ -11621,6 +11634,10 @@ index d8e9958..0046a69 100644
  optional_policy(`
  	corosync_stream_connect(cmirrord_t)
  ')
++
++optional_policy(`
++    rhcs_rw_cluster_tmpfs(cmirrord_t)
++')
 diff --git a/cobbler.fc b/cobbler.fc
 index 973d208..2b650a7 100644
 --- a/cobbler.fc
@@ -16055,10 +16072,10 @@ index 6ce66e7..1d0337a 100644
  
  optional_policy(`
 diff --git a/cups.fc b/cups.fc
-index 949011e..0332f88 100644
+index 949011e..afe482b 100644
 --- a/cups.fc
 +++ b/cups.fc
-@@ -1,77 +1,86 @@
+@@ -1,77 +1,87 @@
 -/etc/alchemist/namespace/printconf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
 -/etc/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
@@ -16131,6 +16148,7 @@ index 949011e..0332f88 100644
 -/usr/sbin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 +/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 +/usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/cups-browsed 	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 +/usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 +/usr/sbin/hpiod		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 +/usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -37390,7 +37408,7 @@ index 6194b80..116d9d2 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..66e7ada 100644
+index 6a306ee..8f6c0ba 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -37828,7 +37846,7 @@ index 6a306ee..66e7ada 100644
  ')
  
  optional_policy(`
-@@ -300,221 +316,174 @@ optional_policy(`
+@@ -300,221 +316,175 @@ optional_policy(`
  
  ########################################
  #
@@ -37936,6 +37954,7 @@ index 6a306ee..66e7ada 100644
 -corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
 -
 -corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_aol_port(mozilla_plugin_t)
  corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
 -corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
 -
@@ -38145,7 +38164,7 @@ index 6a306ee..66e7ada 100644
  ')
  
  optional_policy(`
-@@ -523,36 +492,47 @@ optional_policy(`
+@@ -523,36 +493,48 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38201,12 +38220,13 @@ index 6a306ee..66e7ada 100644
 +	pulseaudio_exec(mozilla_plugin_t)
 +	pulseaudio_stream_connect(mozilla_plugin_t)
 +	pulseaudio_setattr_home_dir(mozilla_plugin_t)
++	pulseaudio_manage_home_dirs(mozilla_plugin_t)
 +	pulseaudio_manage_home_files(mozilla_plugin_t)
 +	pulseaudio_manage_home_symlinks(mozilla_plugin_t)
  ')
  
  optional_policy(`
-@@ -560,7 +540,7 @@ optional_policy(`
+@@ -560,7 +542,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38215,7 +38235,7 @@ index 6a306ee..66e7ada 100644
  ')
  
  optional_policy(`
-@@ -568,108 +548,113 @@ optional_policy(`
+@@ -568,108 +550,113 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42896,7 +42916,7 @@ index a1fb3c3..8fe1d63 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..b9c69d2 100644
+index 0e8508c..2669fe1 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
 @@ -2,7 +2,7 @@
@@ -43143,7 +43163,7 @@ index 0e8508c..b9c69d2 100644
  ##	</summary>
  ## </param>
  ## <param name="role">
-@@ -227,33 +292,92 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +292,111 @@ interface(`networkmanager_read_pid_files',`
  ## </param>
  ## <rolecap/>
  #
@@ -43214,6 +43234,25 @@ index 0e8508c..b9c69d2 100644
 +    manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 +')
 +
++####################################
++## <summary>
++##  Connect to NM over a unix domain
++##  stream socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`networkmanager_stream_connect',`
++    gen_require(`
++        type NetworkManager_t, NetworkManager_var_run_t;
++    ')
++
++    files_search_pids($1)
++    stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++')
 +
 +########################################
 +## <summary>
@@ -48240,10 +48279,10 @@ index 0000000..f2d6119
 +/var/run/openshift(/.*)?               gen_context(system_u:object_r:openshift_var_run_t,s0)
 diff --git a/openshift.if b/openshift.if
 new file mode 100644
-index 0000000..8a1731a
+index 0000000..0dd82f8
 --- /dev/null
 +++ b/openshift.if
-@@ -0,0 +1,654 @@
+@@ -0,0 +1,656 @@
 +
 +## <summary> policy for openshift </summary>
 +
@@ -48503,6 +48542,7 @@ index 0000000..8a1731a
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++    read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
 +')
 +
 +########################################
@@ -48542,6 +48582,7 @@ index 0000000..8a1731a
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++	manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
 +')
 +
 +########################################
@@ -58514,7 +58555,7 @@ index 6864479..0e7d875 100644
 +/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 +/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
 diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..59808e5 100644
+index fa3dc8e..99cfa95 100644
 --- a/pulseaudio.if
 +++ b/pulseaudio.if
 @@ -2,47 +2,44 @@
@@ -58680,7 +58721,7 @@ index fa3dc8e..59808e5 100644
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
-@@ -205,85 +204,95 @@ interface(`pulseaudio_setattr_home_dir',`
+@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
  		type pulseaudio_home_t;
  	')
  
@@ -58742,7 +58783,7 @@ index fa3dc8e..59808e5 100644
  ## <summary>
 -##	Read and write Pulse Audio files.
 +##	Create, read, write, and delete pulseaudio
-+##	home directory files.
++##	home directories.
  ## </summary>
 -## <param name="domain">
 +## <param name="user_domain">
@@ -58752,16 +58793,15 @@ index fa3dc8e..59808e5 100644
  ## </param>
  #
 -interface(`pulseaudio_rw_home_files',`
-+interface(`pulseaudio_manage_home_files',`
++interface(`pulseaudio_manage_home_dirs',`
  	gen_require(`
  		type pulseaudio_home_t;
  	')
  
  	userdom_search_user_home_dirs($1)
 -	rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- 	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+	pulseaudio_filetrans_home_content($1)
+-	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++	manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
  ')
  
  ########################################
@@ -58769,7 +58809,7 @@ index fa3dc8e..59808e5 100644
 -##	Create, read, write, and delete
 -##	pulseaudio home content.
 +##	Create, read, write, and delete pulseaudio
-+##	home directory symlinks.
++##	home directory files.
  ## </summary>
 -## <param name="domain">
 +## <param name="user_domain">
@@ -58778,47 +58818,44 @@ index fa3dc8e..59808e5 100644
  ##	</summary>
  ## </param>
  #
--interface(`pulseaudio_manage_home_files',`
+ interface(`pulseaudio_manage_home_files',`
 -	refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
 -	pulseaudio_manage_home($1)
-+interface(`pulseaudio_manage_home_symlinks',`
 +	gen_require(`
 +		type pulseaudio_home_t;
 +	')
 +
 +	userdom_search_user_home_dirs($1)
-+	manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++	pulseaudio_filetrans_home_content($1)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	pulseaudio home content.
-+##	Create pulseaudio content in the user home directory
-+##	with an correct label.
++##	Create, read, write, and delete pulseaudio
++##	home directory symlinks.
  ## </summary>
- ## <param name="domain">
+-## <param name="domain">
++## <param name="user_domain">
  ##	<summary>
-@@ -291,62 +300,74 @@ interface(`pulseaudio_manage_home_files',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`pulseaudio_manage_home',`
-+interface(`pulseaudio_filetrans_home_content',`
++interface(`pulseaudio_manage_home_symlinks',`
  	gen_require(`
  		type pulseaudio_home_t;
  	')
  
--	userdom_search_user_home_dirs($1)
+ 	userdom_search_user_home_dirs($1)
 -	allow $1 pulseaudio_home_t:dir manage_dir_perms;
 -	allow $1 pulseaudio_home_t:file manage_file_perms;
 -	allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
-+	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
-+	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
-+	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
-+	optional_policy(`
-+		gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
-+	')
++	manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
  ')
  
  ########################################
@@ -58826,7 +58863,7 @@ index fa3dc8e..59808e5 100644
 -##	Create objects in user home
 -##	directories with the pulseaudio
 -##	home type.
-+##	Create pulseaudio content in the admin home directory
++##	Create pulseaudio content in the user home directory
 +##	with an correct label.
  ## </summary>
  ## <param name="domain">
@@ -58840,10 +58877,31 @@ index fa3dc8e..59808e5 100644
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
--##	<summary>
++#
++interface(`pulseaudio_filetrans_home_content',`
++	gen_require(`
++		type pulseaudio_home_t;
++	')
++
++	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
++	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
++	optional_policy(`
++		gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++	')
++')
++
++########################################
++## <summary>
++##	Create pulseaudio content in the admin home directory
++##	with an correct label.
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	The name of the object being created.
--##	</summary>
--## </param>
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
  #
 -interface(`pulseaudio_home_filetrans_pulseaudio_home',`
 +interface(`pulseaudio_filetrans_admin_home_content',`
@@ -63241,7 +63299,7 @@ index 951db7f..6d6ec1d 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..d75003d 100644
+index 2c1730b..259b790 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@@ -63309,7 +63367,7 @@ index 2c1730b..d75003d 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +80,17 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,16 +80,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -63322,6 +63380,7 @@ index 2c1730b..d75003d 100644
 +
  init_dontaudit_getattr_initctl(mdadm_t)
  
++logging_dontaudit_getattr_all_logs(mdadm_t)
  logging_send_syslog_msg(mdadm_t)
  
 -miscfiles_read_localization(mdadm_t)
@@ -71545,7 +71604,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..31e7d21 100644
+index 57c034b..fccf544 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -71820,7 +71879,7 @@ index 57c034b..31e7d21 100644
  ')
  
  optional_policy(`
-+    realmd_read_cache_files(samba_net_t)
++    realmd_manage_cache_files(samba_net_t)
 +    realmd_read_tmp_files(samba_net_t)
 +')
 +
@@ -75892,10 +75951,10 @@ index 0000000..c9d2d9c
 +
 diff --git a/sge.te b/sge.te
 new file mode 100644
-index 0000000..9a329a1
+index 0000000..af30acf
 --- /dev/null
 +++ b/sge.te
-@@ -0,0 +1,191 @@
+@@ -0,0 +1,195 @@
 +policy_module(sge, 1.0.0)
 +
 +########################################
@@ -75942,19 +76001,23 @@ index 0000000..9a329a1
 +# sge_execd local policy
 +#
 +
-+allow sge_execd_t self:capability { dac_override setuid chown setgid };
++allow sge_execd_t self:capability { dac_override kill setuid chown setgid };
 +allow sge_execd_t self:process { setsched signal setpgid };
 +
 +allow sge_execd_t sge_shepherd_t:process signal;
 +
 +kernel_read_kernel_sysctls(sge_execd_t)
 +
++corenet_tcp_bind_sge_port(sge_execd_t)
++corenet_tcp_connect_sge_port(sge_execd_t)
++
 +dev_read_sysfs(sge_execd_t)
 +
 +files_exec_usr_files(sge_execd_t)
 +files_search_spool(sge_execd_t)
 +
 +fs_getattr_xattr_fs(sge_execd_t)
++fs_read_cgroup_files(sge_execd_t)
 +
 +auth_use_nsswitch(sge_execd_t)
 +
@@ -87076,7 +87139,7 @@ index 9dec06c..7877729 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..3f1bc45 100644
+index 1f22fba..f48ade0 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,98 @@
@@ -87696,14 +87759,14 @@ index 1f22fba..3f1bc45 100644
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
 -can_exec(virtd_t, virt_tmp_t)
 -
 -kernel_read_crypto_sysctls(virtd_t)
@@ -87838,15 +87901,13 @@ index 1f22fba..3f1bc45 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -646,107 +470,328 @@ optional_policy(`
- 	consoletype_exec(virtd_t)
- ')
+@@ -649,104 +473,325 @@ optional_policy(`
+ optional_policy(`
+ 	dbus_system_bus_client(virtd_t)
  
--optional_policy(`
--	dbus_system_bus_client(virtd_t)
-+optional_policy(`
-+	dbus_system_bus_client(virtd_t)
-+
+-	optional_policy(`
+-		avahi_dbus_chat(virtd_t)
+-	')
 +	optional_policy(`
 +		avahi_dbus_chat(virtd_t)
 +	')
@@ -88039,10 +88100,7 @@ index 1f22fba..3f1bc45 100644
 +dev_rw_inherited_vhost(virt_domain)
 +
 +domain_use_interactive_fds(virt_domain)
- 
--	optional_policy(`
--		avahi_dbus_chat(virtd_t)
--	')
++
 +files_read_mnt_symlinks(virt_domain)
 +files_read_var_files(virt_domain)
 +files_search_all(virt_domain)
@@ -88238,12 +88296,12 @@ index 1f22fba..3f1bc45 100644
 -dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 -
 -allow virsh_t svirt_lxc_domain:process transition;
+-
+-can_exec(virsh_t, virsh_exec_t)
 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +virt_filetrans_named_content(virsh_t)
  
--can_exec(virsh_t, virsh_exec_t)
--
 -virt_domtrans(virsh_t)
 -virt_manage_images(virsh_t)
 -virt_manage_config(virsh_t)
@@ -88729,7 +88787,7 @@ index 1f22fba..3f1bc45 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1246,75 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1246,79 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -88761,7 +88819,9 @@ index 1f22fba..3f1bc45 100644
 +
 +files_list_all_mountpoints(virt_qemu_ga_t)
 +files_write_all_mountpoints(virt_qemu_ga_t)
++
 +fs_list_all(virt_qemu_ga_t)
++fs_getattr_all_fs(virt_qemu_ga_t)
 +
 +term_use_virtio_console(virt_qemu_ga_t)
 +term_use_all_ttys(virt_qemu_ga_t)
@@ -88771,6 +88831,8 @@ index 1f22fba..3f1bc45 100644
 +
 +sysnet_dns_name_resolve(virt_qemu_ga_t)
 +
++systemd_exec_systemctl(virt_qemu_ga_t)
++
 +userdom_use_user_ptys(virt_qemu_ga_t)
 +
 +optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2be5adc..7c9d6e1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 44%{?dist}
+Release: 45%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,24 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri May 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-45
+- Add additional fixes for #948073 bug
+- Allow sge_execd_t to also connect to sge ports
+- Allow openshift_cron_t to manage openshift_var_lib_t sym links
+- Allow openshift_cron_t to manage openshift_var_lib_t sym links
+- Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files
+- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files
+- Add networkmanager_stream_connect()
+- Make gnome-abrt wokring with staff_t
+- Fix openshift_manage_lib_files() interface
+- mdadm runs ps command which seems to getattr on random log files
+- Allow mozilla_plugin_t to create pulseaudit_home_t directories
+- Allow qemu-ga to shutdown virtual hosts
+- Add labelling for cupsd-browsed
+- Add web browser plugins to connect to aol ports
+- Allow nm-dhcp-helper to stream connect to NM
+- Add port definition for sge ports
+
 * Mon May 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-44
 - Make sure users and unconfined domains create .hushlogin with the correct label
 - Allow pegaus to chat with realmd over DBus