diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 42c6b4f..8ba89c5 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -28225,7 +28225,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..8b457a1 100644
+index dd3be8d..3f4f878 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28332,8 +28332,12 @@ index dd3be8d..8b457a1 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module;
+ allow init_t self:fifo_file rw_fifo_file_perms;
+
++allow init_t self:service manage_service_perms;
++
# Re-exec itself
can_exec(init_t, init_exec_t)
-
@@ -28372,7 +28376,7 @@ index dd3be8d..8b457a1 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -28392,7 +28396,7 @@ index dd3be8d..8b457a1 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -28413,7 +28417,7 @@ index dd3be8d..8b457a1 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -28459,17 +28463,17 @@ index dd3be8d..8b457a1 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
-
--miscfiles_read_localization(init_t)
++
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
-+
+
+-miscfiles_read_localization(init_t)
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +286,208 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28499,19 +28503,19 @@ index dd3be8d..8b457a1 100644
+
+optional_policy(`
+ chronyd_read_keys(init_t)
-+')
-+
-+optional_policy(`
-+ kdump_read_crash(init_t)
')
optional_policy(`
- auth_rw_login_records(init_t)
-+ gnome_filetrans_home_content(init_t)
-+ gnome_manage_data(init_t)
++ kdump_read_crash(init_t)
')
optional_policy(`
++ gnome_filetrans_home_content(init_t)
++ gnome_manage_data(init_t)
++')
++
++optional_policy(`
+ iscsi_read_lib_files(init_t)
+')
+
@@ -28673,20 +28677,20 @@ index dd3be8d..8b457a1 100644
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_stream_connect(init_t)
')
optional_policy(`
- nscd_use(init_t)
++ networkmanager_stream_connect(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -216,7 +493,30 @@ optional_policy(`
+@@ -216,7 +495,30 @@ optional_policy(`
')
optional_policy(`
@@ -28717,7 +28721,7 @@ index dd3be8d..8b457a1 100644
')
########################################
-@@ -225,8 +525,9 @@ optional_policy(`
+@@ -225,8 +527,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28729,7 +28733,7 @@ index dd3be8d..8b457a1 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28746,7 +28750,7 @@ index dd3be8d..8b457a1 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28789,7 +28793,7 @@ index dd3be8d..8b457a1 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28801,7 +28805,7 @@ index dd3be8d..8b457a1 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +634,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28812,7 +28816,7 @@ index dd3be8d..8b457a1 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +645,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28822,7 +28826,7 @@ index dd3be8d..8b457a1 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +654,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28830,7 +28834,7 @@ index dd3be8d..8b457a1 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28838,7 +28842,7 @@ index dd3be8d..8b457a1 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +669,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28856,7 +28860,7 @@ index dd3be8d..8b457a1 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +687,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28870,7 +28874,7 @@ index dd3be8d..8b457a1 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +702,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28884,7 +28888,7 @@ index dd3be8d..8b457a1 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +715,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28892,7 +28896,7 @@ index dd3be8d..8b457a1 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +727,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28900,7 +28904,7 @@ index dd3be8d..8b457a1 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +746,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28924,7 +28928,7 @@ index dd3be8d..8b457a1 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +779,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28932,7 +28936,7 @@ index dd3be8d..8b457a1 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +813,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28943,7 +28947,7 @@ index dd3be8d..8b457a1 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +835,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +837,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28952,7 +28956,7 @@ index dd3be8d..8b457a1 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +850,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +852,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28960,7 +28964,7 @@ index dd3be8d..8b457a1 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +871,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +873,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28968,7 +28972,7 @@ index dd3be8d..8b457a1 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +881,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +883,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -29013,7 +29017,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -558,14 +926,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +928,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29045,7 +29049,7 @@ index dd3be8d..8b457a1 100644
')
')
-@@ -576,6 +961,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +963,39 @@ ifdef(`distro_suse',`
')
')
@@ -29085,7 +29089,7 @@ index dd3be8d..8b457a1 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1006,8 @@ optional_policy(`
+@@ -588,6 +1008,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29094,7 +29098,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -609,6 +1029,7 @@ optional_policy(`
+@@ -609,6 +1031,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29102,7 +29106,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -625,6 +1046,17 @@ optional_policy(`
+@@ -625,6 +1048,17 @@ optional_policy(`
')
optional_policy(`
@@ -29120,7 +29124,7 @@ index dd3be8d..8b457a1 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1073,13 @@ optional_policy(`
+@@ -641,9 +1075,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29134,7 +29138,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -656,15 +1092,11 @@ optional_policy(`
+@@ -656,15 +1094,11 @@ optional_policy(`
')
optional_policy(`
@@ -29152,7 +29156,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -685,6 +1117,15 @@ optional_policy(`
+@@ -685,6 +1119,15 @@ optional_policy(`
')
optional_policy(`
@@ -29168,7 +29172,7 @@ index dd3be8d..8b457a1 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1166,7 @@ optional_policy(`
+@@ -725,6 +1168,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -29176,7 +29180,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -742,7 +1184,13 @@ optional_policy(`
+@@ -742,7 +1186,13 @@ optional_policy(`
')
optional_policy(`
@@ -29191,7 +29195,7 @@ index dd3be8d..8b457a1 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1213,10 @@ optional_policy(`
+@@ -765,6 +1215,10 @@ optional_policy(`
')
optional_policy(`
@@ -29202,7 +29206,7 @@ index dd3be8d..8b457a1 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1226,20 @@ optional_policy(`
+@@ -774,10 +1228,20 @@ optional_policy(`
')
optional_policy(`
@@ -29223,7 +29227,7 @@ index dd3be8d..8b457a1 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1248,10 @@ optional_policy(`
+@@ -786,6 +1250,10 @@ optional_policy(`
')
optional_policy(`
@@ -29234,7 +29238,7 @@ index dd3be8d..8b457a1 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1273,6 @@ optional_policy(`
+@@ -807,8 +1275,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29243,7 +29247,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -817,6 +1281,10 @@ optional_policy(`
+@@ -817,6 +1283,10 @@ optional_policy(`
')
optional_policy(`
@@ -29254,7 +29258,7 @@ index dd3be8d..8b457a1 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1294,12 @@ optional_policy(`
+@@ -826,10 +1296,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29267,7 +29271,7 @@ index dd3be8d..8b457a1 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1326,35 @@ optional_policy(`
+@@ -856,12 +1328,35 @@ optional_policy(`
')
optional_policy(`
@@ -29304,7 +29308,7 @@ index dd3be8d..8b457a1 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1364,18 @@ optional_policy(`
+@@ -871,6 +1366,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29323,7 +29327,7 @@ index dd3be8d..8b457a1 100644
')
optional_policy(`
-@@ -886,6 +1391,10 @@ optional_policy(`
+@@ -886,6 +1393,10 @@ optional_policy(`
')
optional_policy(`
@@ -29334,7 +29338,7 @@ index dd3be8d..8b457a1 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1405,218 @@ optional_policy(`
+@@ -896,3 +1407,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index c50e452..f02fdf7 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4816,7 +4816,7 @@ index 83e899c..64beed7 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..9ac02fd 100644
+index 1a82e29..94764d1 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -6027,7 +6027,7 @@ index 1a82e29..9ac02fd 100644
+')
+
+optional_policy(`
-+ mirrormanager_read_pid_files(httpd_t)
++ mirrormanager_manage_pid_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
+')
@@ -8026,7 +8026,7 @@ index 089430a..b0bed70 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index a579c3b..294b5f4 100644
+index a579c3b..f27656d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,12 +22,16 @@ type automount_tmp_t;
@@ -8063,7 +8063,15 @@ index a579c3b..294b5f4 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
+@@ -108,6 +110,7 @@ fs_manage_autofs_symlinks(automount_t)
+ fs_mount_all_fs(automount_t)
+ fs_mount_autofs(automount_t)
+ fs_read_nfs_files(automount_t)
++fs_read_nfs_symlinks(automount_t)
+ fs_search_all(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_unmount_all_fs(automount_t)
+@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -8086,7 +8094,7 @@ index a579c3b..294b5f4 100644
fstools_domtrans(automount_t)
')
-@@ -160,3 +165,8 @@ optional_policy(`
+@@ -160,3 +166,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -10627,7 +10635,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..fb4590f 100644
+index 2354e21..8b373e6 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10664,7 +10672,7 @@ index 2354e21..fb4590f 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -10672,6 +10680,8 @@ index 2354e21..fb4590f 100644
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
++corenet_tcp_connect_ldap_port(certmonger_t)
++
+corenet_tcp_connect_pki_ca_port(certmonger_t)
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
@@ -10687,7 +10697,7 @@ index 2354e21..fb4590f 100644
files_list_tmp(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +83,17 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
@@ -10708,7 +10718,7 @@ index 2354e21..fb4590f 100644
')
optional_policy(`
-@@ -92,11 +104,47 @@ optional_policy(`
+@@ -92,11 +106,47 @@ optional_policy(`
')
optional_policy(`
@@ -17532,7 +17542,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..06f71d5 100644
+index 6ce66e7..d95f222 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -17560,7 +17570,7 @@ index 6ce66e7..06f71d5 100644
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-@@ -57,7 +62,13 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
+@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
@@ -17575,7 +17585,11 @@ index 6ce66e7..06f71d5 100644
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-@@ -72,9 +83,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
++manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+ files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
+
+ kernel_read_network_state(ctdbd_t)
+@@ -72,9 +84,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@@ -17587,7 +17601,7 @@ index 6ce66e7..06f71d5 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +98,14 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +99,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -17604,7 +17618,7 @@ index 6ce66e7..06f71d5 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +124,7 @@ optional_policy(`
+@@ -109,6 +125,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -27594,7 +27608,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..74170f8 100644
+index d03fd43..4155cd4 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -28657,7 +28671,7 @@ index d03fd43..74170f8 100644
##
##
##
-@@ -704,12 +778,913 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +778,931 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -29069,6 +29083,24 @@ index d03fd43..74170f8 100644
+ delete_files_pattern($1, config_home_t, config_home_t)
+')
+
++########################################
++##
++## Create gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_create_home_config_dirs',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ allow $1 config_home_t:dir create_dir_perms;
++')
++
+#######################################
+##
+## setattr gnome homedir content (.config)
@@ -29577,7 +29609,7 @@ index d03fd43..74170f8 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..2af3f4b 100644
+index 20f726b..45fe41c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -29621,7 +29653,7 @@ index 20f726b..2af3f4b 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,225 @@ type gconfd_exec_t;
+@@ -29,107 +47,226 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -29882,6 +29914,7 @@ index 20f726b..2af3f4b 100644
optional_policy(`
- telepathy_mission_control_read_state(gkeyringd_domain)
++ gnome_create_home_config_dirs(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_manage_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
@@ -38507,10 +38540,10 @@ index 0000000..da30c5d
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..ba791e5
+index 0000000..5a9d09d
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,72 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -38562,6 +38595,7 @@ index 0000000..ba791e5
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
++allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
+
+allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
+stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
@@ -38577,6 +38611,7 @@ index 0000000..ba791e5
+corecmd_exec_bin(lsmd_plugin_t)
+
+init_stream_connect(lsmd_plugin_t)
++init_dontaudit_rw_stream_socket(lsmd_plugin_t)
+
+logging_send_syslog_msg(lsmd_plugin_t)
+
@@ -40620,10 +40655,10 @@ index 0000000..c713b27
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
diff --git a/mirrormanager.if b/mirrormanager.if
new file mode 100644
-index 0000000..dd049c7
+index 0000000..adf2319
--- /dev/null
+++ b/mirrormanager.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,243 @@
+
+## policy for mirrormanager
+
@@ -40741,6 +40776,7 @@ index 0000000..dd049c7
+ ')
+
+ files_search_var_lib($1)
++ list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+ read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
@@ -40801,6 +40837,24 @@ index 0000000..dd049c7
+ read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
++########################################
++##
++## Manage mirrormanager PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mirrormanager_manage_pid_files',`
++ gen_require(`
++ type mirrormanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
+
+########################################
+##
@@ -57802,7 +57856,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..6fa25ba 100644
+index 7bcf327..e4f2a0a 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -57826,7 +57880,7 @@ index 7bcf327..6fa25ba 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,291 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,293 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -58065,6 +58119,8 @@ index 7bcf327..6fa25ba 100644
+udev_domtrans(pegasus_openlmi_storage_t)
+udev_read_pid_files(pegasus_openlmi_storage_t)
+
++miscfiles_read_hwdata(pegasus_openlmi_storage_t)
++
+optional_policy(`
+ dmidecode_domtrans(pegasus_openlmi_storage_t)
+')
@@ -58123,7 +58179,7 @@ index 7bcf327..6fa25ba 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +324,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +326,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -58154,7 +58210,7 @@ index 7bcf327..6fa25ba 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +350,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +352,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -58187,7 +58243,7 @@ index 7bcf327..6fa25ba 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +378,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +380,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -58199,7 +58255,7 @@ index 7bcf327..6fa25ba 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +394,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +396,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -58235,7 +58291,7 @@ index 7bcf327..6fa25ba 100644
')
optional_policy(`
-@@ -151,16 +428,24 @@ optional_policy(`
+@@ -151,16 +430,24 @@ optional_policy(`
')
optional_policy(`
@@ -58264,7 +58320,7 @@ index 7bcf327..6fa25ba 100644
')
optional_policy(`
-@@ -168,7 +453,7 @@ optional_policy(`
+@@ -168,7 +455,7 @@ optional_policy(`
')
optional_policy(`
@@ -74202,7 +74258,7 @@ index 47de2d6..a7e8263 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..f1ee87e 100644
+index 56bc01f..1337d42 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -74573,7 +74629,7 @@ index 56bc01f..f1ee87e 100644
')
######################################
-@@ -446,52 +497,360 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
##
@@ -74826,6 +74882,7 @@ index 56bc01f..f1ee87e 100644
+ ')
+
+ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++ delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
+#####################################
@@ -74963,7 +75020,7 @@ index 56bc01f..f1ee87e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..f8b98bd 100644
+index 2c2de9a..9b2ddd8 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -75339,7 +75396,15 @@ index 2c2de9a..f8b98bd 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -140,6 +425,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+
+ corenet_sendrecv_zented_server_packets(fenced_t)
+ corenet_tcp_bind_zented_port(fenced_t)
++corenet_udp_bind_zented_port(fenced_t)
+ corenet_tcp_sendrecv_zented_port(fenced_t)
+
+ corenet_sendrecv_http_client_packets(fenced_t)
+@@ -148,9 +434,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -75350,7 +75415,7 @@ index 2c2de9a..f8b98bd 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +444,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -75359,7 +75424,7 @@ index 2c2de9a..f8b98bd 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +465,8 @@ optional_policy(`
+@@ -182,7 +466,8 @@ optional_policy(`
')
optional_policy(`
@@ -75369,7 +75434,7 @@ index 2c2de9a..f8b98bd 100644
')
optional_policy(`
-@@ -190,12 +474,12 @@ optional_policy(`
+@@ -190,12 +475,12 @@ optional_policy(`
')
optional_policy(`
@@ -75385,7 +75450,7 @@ index 2c2de9a..f8b98bd 100644
')
optional_policy(`
-@@ -203,6 +487,13 @@ optional_policy(`
+@@ -203,6 +488,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -75399,7 +75464,7 @@ index 2c2de9a..f8b98bd 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +513,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -75420,7 +75485,7 @@ index 2c2de9a..f8b98bd 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +551,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -75429,7 +75494,7 @@ index 2c2de9a..f8b98bd 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +571,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -75471,7 +75536,7 @@ index 2c2de9a..f8b98bd 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +646,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -78744,7 +78809,7 @@ index 0628d50..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..5b28e97 100644
+index 5cbe81c..ab091de 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -79143,7 +79208,7 @@ index 5cbe81c..5b28e97 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
+@@ -363,41 +379,65 @@ ifdef(`distro_redhat',`
')
')
@@ -79163,6 +79228,10 @@ index 5cbe81c..5b28e97 100644
+
+optional_policy(`
+ cups_filetrans_named_content(rpm_script_t)
++')
++
++optional_policy(`
++ sblim_filetrans_named_content(rpm_script_t)
')
optional_policy(`
@@ -79215,7 +79284,7 @@ index 5cbe81c..5b28e97 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +445,6 @@ optional_policy(`
+@@ -409,6 +449,6 @@ optional_policy(`
')
optional_policy(`
@@ -84028,7 +84097,7 @@ index 68a550d..e976fc6 100644
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
-index 98c9e0a..df51942 100644
+index 98c9e0a..d4aa009 100644
--- a/sblim.if
+++ b/sblim.if
@@ -1,8 +1,36 @@
@@ -84079,25 +84148,41 @@ index 98c9e0a..df51942 100644
##
##
##
-@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',`
+@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',`
########################################
##
-## All of the rules required to
-## administrate an sblim environment.
-+## All of the rules required to administrate
-+## an gatherd environment
++## Transition to sblim named content
##
##
##
- ## Domain allowed access.
+-## Domain allowed access.
++## Domain allowed access.
##
##
-##
--##
++#
++interface(`sblim_filetrans_named_content',`
++ gen_require(`
++ type sblim_var_run_t;
++ ')
++
++ files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an gatherd environment
++##
++##
+ ##
-## Role allowed access.
--##
--##
++## Domain allowed access.
+ ##
+ ##
##
#
interface(`sblim_admin',`
@@ -99912,6 +99997,132 @@ index 9ead775..b5285e7 100644
userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
+diff --git a/vmtools.fc b/vmtools.fc
+new file mode 100644
+index 0000000..5726cdb
+--- /dev/null
++++ b/vmtools.fc
+@@ -0,0 +1,3 @@
++/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0)
++
++/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
+diff --git a/vmtools.if b/vmtools.if
+new file mode 100644
+index 0000000..044be2f
+--- /dev/null
++++ b/vmtools.if
+@@ -0,0 +1,78 @@
++## VMware Tools daemon
++
++########################################
++##
++## Execute vmtools in the vmtools domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`vmtools_domtrans',`
++ gen_require(`
++ type vmtools_t, vmtools_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, vmtools_exec_t, vmtools_t)
++')
++########################################
++##
++## Execute vmtools server in the vmtools domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`vmtools_systemctl',`
++ gen_require(`
++ type vmtools_t;
++ type vmtools_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 vmtools_unit_file_t:file read_file_perms;
++ allow $1 vmtools_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, vmtools_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an vmtools environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`vmtools_admin',`
++ gen_require(`
++ type vmtools_t;
++ type vmtools_unit_file_t;
++ ')
++
++ allow $1 vmtools_t:process { signal_perms };
++ ps_process_pattern($1, vmtools_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ninfod_t:process ptrace;
++ ')
++
++ vmtools_systemctl($1)
++ admin_pattern($1, vmtools_unit_file_t)
++ allow $1 vmtools_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/vmtools.te b/vmtools.te
+new file mode 100644
+index 0000000..7918651
+--- /dev/null
++++ b/vmtools.te
+@@ -0,0 +1,27 @@
++policy_module(vmtools, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type vmtools_t;
++type vmtools_exec_t;
++init_daemon_domain(vmtools_t, vmtools_exec_t)
++
++type vmtools_unit_file_t;
++systemd_unit_file(vmtools_unit_file_t)
++
++########################################
++#
++# vmtools local policy
++#
++allow vmtools_t self:fifo_file rw_fifo_file_perms;
++allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
++allow vmtools_t self:unix_dgram_socket create_socket_perms;
++
++auth_use_nsswitch(vmtools_t)
++
++dev_read_urand(vmtools_t)
++
++logging_send_syslog_msg(vmtools_t)
diff --git a/vmware.if b/vmware.if
index 20a1fb2..470ea95 100644
--- a/vmware.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ed7629e..fd041b4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 117%{?dist}
+Release: 118%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,42 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jan 16 2014 Miroslav Grepl 3.12.1-118
+- Allow init_t to work on transitient and snapshot unit files
+- Add logging_manage_syslog_config()
+- Update sysnet_dns_name_resolve() to allow connect to dnssec por
+- Allow pegasus_openlmi_storage_t to read hwdata
+- Fix rhcs_rw_cluster_tmpfs()
+- Allow fenced_t to bind on zented udp port
+- Added policy for vmtools
+- Fix mirrormanager_read_lib_files()
+- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files
+- Allow ctdb to create sock files in /var/run/ctdb
+- Add sblim_filetrans_named_content() interface
+- Allow rpm scritplets to create /run/gather with correct labeling
+- Allow gnome keyring domains to create gnome config dirs
+- Dontaudit read/write to init stream socket for lsmd_plugin_t
+- Allow automount to read nfs link files
+- Allow lsm plugins to read/write lsmd stream socket
+- Allow certmonger to connect ldap port to make IPA CA certificate renewal working.
+- Add also labeling for /var/run/ctdb
+- Add missing labeling for /var/lib/ctdb
+- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446
+- Dontaudit hypervkvp to search homedirs
+- Dontaudit hypervkvp to search admin homedirs
+- Allow hypervkvp to execute bin_t and ifconfig in the caller domain
+- Dontaudit xguest_t to read ABRT conf files
+- Add abrt_dontaudit_read_config()
+- Allow namespace-init to getattr on fs
+- Add thumb_role() also for xguest
+- Add filename transitions to create .spamassassin with correct labeling
+- Allow apache domain to read mirrormanager pid files
+- Allow domains to read/write shm and sem owned by mozilla_plugin_t
+- Allow alsactl to send a generic signal to kernel_t
+- Allow plymouthd to read run/udev/queue.bin
+- Allow sys_chroot for NM required by iodine service
+- Change glusterd to allow mounton all non security
+
* Wed Jan 15 2014 Miroslav Grepl 3.12.1-117
- Add back rpm_run for unconfined_t