diff --git a/policy-F16.patch b/policy-F16.patch
index dcb3be5..2f1e6f9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2555,10 +2555,18 @@ index 93ec175..0e42018 100644
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..ec838bd 100644
+index af55369..76fc186 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
-@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
+@@ -18,6 +18,7 @@ type prelink_cron_system_t;
+ type prelink_cron_system_exec_t;
+ domain_type(prelink_cron_system_t)
+ domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
++domain_obj_id_change_exemption(prelink_cron_system_t)
+
+ type prelink_log_t;
+ logging_log_file(prelink_log_t)
+@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t)
# Local policy
#
@@ -2567,7 +2575,7 @@ index af55369..ec838bd 100644
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
-@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
@@ -2580,7 +2588,7 @@ index af55369..ec838bd 100644
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
-@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
+@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
@@ -2588,7 +2596,7 @@ index af55369..ec838bd 100644
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
-@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
+@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -2597,7 +2605,7 @@ index af55369..ec838bd 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -98,7 +102,15 @@ libs_delete_lib_symlinks(prelink_t)
+@@ -98,7 +103,15 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
@@ -2614,7 +2622,7 @@ index af55369..ec838bd 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,6 +121,15 @@ optional_policy(`
+@@ -109,6 +122,15 @@ optional_policy(`
')
optional_policy(`
@@ -2630,7 +2638,7 @@ index af55369..ec838bd 100644
rpm_manage_tmp_files(prelink_t)
')
-@@ -129,6 +150,7 @@ optional_policy(`
+@@ -129,6 +151,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -2638,7 +2646,7 @@ index af55369..ec838bd 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +170,29 @@ optional_policy(`
+@@ -148,17 +171,29 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -25623,7 +25631,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..203a5aa 100644
+index 9e39aa5..12333a8 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25708,7 +25716,7 @@ index 9e39aa5..203a5aa 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,26 +87,36 @@ ifdef(`distro_suse', `
+@@ -73,26 +87,38 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25722,8 +25730,10 @@ index 9e39aa5..203a5aa 100644
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/var/lib/openshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25747,7 +25757,7 @@ index 9e39aa5..203a5aa 100644
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -105,7 +129,31 @@ ifdef(`distro_debian', `
+@@ -105,7 +131,31 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -26474,7 +26484,7 @@ index 6480167..eeb2953 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..fcb45ba 100644
+index 3136c6a..2042513 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,253 @@ policy_module(apache, 2.2.1)
@@ -27251,7 +27261,7 @@ index 3136c6a..fcb45ba 100644
')
optional_policy(`
-@@ -576,6 +892,51 @@ optional_policy(`
+@@ -576,6 +892,55 @@ optional_policy(`
openca_kill(httpd_t)
')
@@ -27287,6 +27297,10 @@ index 3136c6a..fcb45ba 100644
+')
+
+optional_policy(`
++ openshift_initrc_signull(httpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ oddjob_dbus_chat(httpd_t)
+ ')
@@ -27303,7 +27317,7 @@ index 3136c6a..fcb45ba 100644
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -591,6 +952,11 @@ optional_policy(`
+@@ -591,6 +956,11 @@ optional_policy(`
')
optional_policy(`
@@ -27315,7 +27329,7 @@ index 3136c6a..fcb45ba 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +969,12 @@ optional_policy(`
+@@ -603,6 +973,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27328,7 +27342,7 @@ index 3136c6a..fcb45ba 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +988,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +992,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27341,7 +27355,7 @@ index 3136c6a..fcb45ba 100644
########################################
#
-@@ -654,28 +1030,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1034,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27385,7 +27399,7 @@ index 3136c6a..fcb45ba 100644
')
########################################
-@@ -685,6 +1063,8 @@ optional_policy(`
+@@ -685,6 +1067,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27394,7 +27408,7 @@ index 3136c6a..fcb45ba 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1079,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1083,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27420,7 +27434,7 @@ index 3136c6a..fcb45ba 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1125,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1129,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27453,7 +27467,7 @@ index 3136c6a..fcb45ba 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1172,25 @@ optional_policy(`
+@@ -769,6 +1176,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27479,7 +27493,7 @@ index 3136c6a..fcb45ba 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1211,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1215,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27497,7 +27511,7 @@ index 3136c6a..fcb45ba 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1230,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1234,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27554,7 +27568,7 @@ index 3136c6a..fcb45ba 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1281,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1285,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27595,7 +27609,7 @@ index 3136c6a..fcb45ba 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1326,20 @@ optional_policy(`
+@@ -842,10 +1330,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27616,7 +27630,7 @@ index 3136c6a..fcb45ba 100644
')
########################################
-@@ -891,11 +1385,49 @@ optional_policy(`
+@@ -891,11 +1389,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -34300,7 +34314,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..0dd5c5d 100644
+index 0f28095..bbf685f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -34439,6 +34453,15 @@ index 0f28095..0dd5c5d 100644
')
optional_policy(`
+@@ -341,7 +361,7 @@ optional_policy(`
+ # Cups configuration daemon local policy
+ #
+
+-allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
++allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+ allow cupsd_config_t self:process { getsched signal_perms };
+ allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -371,8 +391,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -45932,7 +45955,7 @@ index 256166a..2320c87 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..4099451 100644
+index 343cee3..db50ceb 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -46059,7 +46082,8 @@ index 343cee3..4099451 100644
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
- allow mta_user_agent $2:fifo_file { read write };
+- allow mta_user_agent $2:fifo_file { read write };
++ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
+
+ optional_policy(`
+ exim_run($2, $1)
@@ -46129,6 +46153,15 @@ index 343cee3..4099451 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+@@ -361,7 +304,7 @@ interface(`mta_send_mail',`
+
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+- allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
@@ -391,12 +334,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
@@ -48666,7 +48699,7 @@ index abe3f7f..2214d71 100644
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..8db6004 100644
+index 4876cae..bfebbec 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t)
@@ -48707,7 +48740,16 @@ index 4876cae..8db6004 100644
allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
-@@ -142,8 +149,8 @@ optional_policy(`
+@@ -108,6 +115,8 @@ domain_use_interactive_fds(ypbind_t)
+ files_read_etc_files(ypbind_t)
+ files_list_var(ypbind_t)
+
++init_search_pid_dirs(ypbind_t)
++
+ logging_send_syslog_msg(ypbind_t)
+
+ miscfiles_read_localization(ypbind_t)
+@@ -142,8 +151,8 @@ optional_policy(`
allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
@@ -48717,7 +48759,7 @@ index 4876cae..8db6004 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -156,6 +163,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+@@ -156,6 +165,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
@@ -48726,7 +48768,7 @@ index 4876cae..8db6004 100644
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
-@@ -211,6 +220,10 @@ optional_policy(`
+@@ -211,6 +222,10 @@ optional_policy(`
')
optional_policy(`
@@ -48737,7 +48779,7 @@ index 4876cae..8db6004 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -224,8 +237,8 @@ optional_policy(`
+@@ -224,8 +239,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -50024,10 +50066,10 @@ index 0000000..c9a5f74
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/policy/modules/services/openshift.if b/policy/modules/services/openshift.if
new file mode 100644
-index 0000000..681f8a0
+index 0000000..71d6f47
--- /dev/null
+++ b/policy/modules/services/openshift.if
-@@ -0,0 +1,556 @@
+@@ -0,0 +1,574 @@
+
+## policy for openshift
+
@@ -50050,6 +50092,24 @@ index 0000000..681f8a0
+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
+')
+
++######################################
++##
++## Send a null signal to openshift init scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_initrc_signull',`
++ gen_require(`
++ type openshift_initrc_t;
++ ')
++
++ allow $1 openshift_initrc_t:process signull;
++')
++
+########################################
+##
+## Search openshift cache directories.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9605a00..f87e921 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 95%{?dist}
+Release: 96%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 13 2012 Miroslav Grepl 3.10.0-96
+- httpd needs to send signull to openshift init script
+- Allow prelink_cron_system_t to overide user componant when cp -a-
+- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd
+- Allow setuid/setgid for cupsd-config
+- New ypbind pkg wants to search /var/run which is caused by sd_notify
+
* Fri Nov 1 2012 Miroslav Grepl 3.10.0-95
- Add support for OpenShift sbin labeling