diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 2da01b6..ee8c8c6 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -122174,10 +122174,10 @@ index 54f1827..a2d5eaa 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..5b6d5d6 100644
+index 1700ef2..3024bc6 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
-@@ -22,6 +22,25 @@ interface(`storage_getattr_fixed_disk_dev',`
+@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
########################################
##
@@ -122196,6 +122196,7 @@ index 1700ef2..5b6d5d6 100644
+ ')
+
+ allow $1 fixed_disk_device_t:chr_file { read write };
++ allow $1 fixed_disk_device_t:blk_file { read write };
+')
+
+########################################
@@ -122203,7 +122204,7 @@ index 1700ef2..5b6d5d6 100644
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
##
-@@ -101,6 +120,8 @@ interface(`storage_raw_read_fixed_disk',`
+@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',`
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
@@ -122212,7 +122213,7 @@ index 1700ef2..5b6d5d6 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -205,6 +226,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -205,6 +227,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@@ -122220,7 +122221,7 @@ index 1700ef2..5b6d5d6 100644
dev_add_entry_generic_dirs($1)
')
-@@ -269,6 +291,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -269,6 +292,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
dev_filetrans($1, fixed_disk_device_t, blk_file)
')
@@ -122269,7 +122270,7 @@ index 1700ef2..5b6d5d6 100644
########################################
##
## Create block devices in on a tmpfs filesystem with the
-@@ -808,3 +872,369 @@ interface(`storage_unconfined',`
+@@ -808,3 +873,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -128735,7 +128736,7 @@ index 130ced9..af3532c 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..e088d08 100644
+index d40f750..4f116f0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -129408,7 +129409,7 @@ index d40f750..e088d08 100644
')
optional_policy(`
-@@ -514,12 +734,65 @@ optional_policy(`
+@@ -514,12 +734,69 @@ optional_policy(`
')
optional_policy(`
@@ -129447,6 +129448,10 @@ index d40f750..e088d08 100644
+ ')
+
+ optional_policy(`
++ gnomeclock_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
+')
@@ -129474,7 +129479,7 @@ index d40f750..e088d08 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +810,74 @@ optional_policy(`
+@@ -537,28 +814,74 @@ optional_policy(`
')
optional_policy(`
@@ -129558,7 +129563,7 @@ index d40f750..e088d08 100644
')
optional_policy(`
-@@ -570,6 +889,14 @@ optional_policy(`
+@@ -570,6 +893,14 @@ optional_policy(`
')
optional_policy(`
@@ -129573,7 +129578,7 @@ index d40f750..e088d08 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +921,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +925,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -129586,7 +129591,7 @@ index d40f750..e088d08 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +938,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -129602,7 +129607,7 @@ index d40f750..e088d08 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +965,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -129624,7 +129629,7 @@ index d40f750..e088d08 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +985,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +989,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -129638,7 +129643,7 @@ index d40f750..e088d08 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1011,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1015,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -129670,7 +129675,7 @@ index d40f750..e088d08 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1043,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -129684,7 +129689,7 @@ index d40f750..e088d08 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1062,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1066,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -129708,7 +129713,7 @@ index d40f750..e088d08 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1127,40 @@ optional_policy(`
+@@ -775,16 +1131,40 @@ optional_policy(`
')
optional_policy(`
@@ -129750,7 +129755,7 @@ index d40f750..e088d08 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1169,10 @@ optional_policy(`
+@@ -793,6 +1173,10 @@ optional_policy(`
')
optional_policy(`
@@ -129761,7 +129766,7 @@ index d40f750..e088d08 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1188,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1192,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -129775,7 +129780,7 @@ index d40f750..e088d08 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1199,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1203,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -129784,7 +129789,7 @@ index d40f750..e088d08 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1212,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1216,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -129819,7 +129824,7 @@ index d40f750..e088d08 100644
')
optional_policy(`
-@@ -859,6 +1234,10 @@ optional_policy(`
+@@ -859,6 +1238,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -129830,7 +129835,7 @@ index d40f750..e088d08 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1281,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1285,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -129839,7 +129844,7 @@ index d40f750..e088d08 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1335,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1339,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -129871,7 +129876,7 @@ index d40f750..e088d08 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1381,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1385,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -138778,7 +138783,7 @@ index 3822072..702e0e0 100644
+ logging_send_syslog_msg($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..9deb89c 100644
+index ec01d0b..51e91d2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -139291,7 +139296,7 @@ index ec01d0b..9deb89c 100644
')
########################################
-@@ -522,108 +603,179 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +603,180 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -139426,6 +139431,7 @@ index ec01d0b..9deb89c 100644
+
+dev_relabel_all_dev_nodes(setfiles_domain)
+dev_dontaudit_rw_lvm_control(setfiles_domain)
++dev_dontaudit_read_rand(setfiles_domain)
+dev_dontaudit_read_urand(setfiles_domain)
+
+domain_use_interactive_fds(setfiles_domain)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index f243357..33e5a37 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -896,7 +896,7 @@ index c0f858d..c256428 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 1632f10..f4d7d4d 100644
+index 1632f10..5fe3889 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -1,5 +1,9 @@
@@ -960,7 +960,7 @@ index 1632f10..f4d7d4d 100644
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
-@@ -50,8 +63,19 @@ usermanage_domtrans_passwd(accountsd_t)
+@@ -50,8 +63,20 @@ usermanage_domtrans_passwd(accountsd_t)
optional_policy(`
consolekit_read_log(accountsd_t)
@@ -976,6 +976,7 @@ index 1632f10..f4d7d4d 100644
')
+
+optional_policy(`
++ xserver_read_xdm_tmp_files(accountsd_t)
+ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
@@ -6624,10 +6625,10 @@ index 0000000..e8ada4b
+')
diff --git a/boinc.te b/boinc.te
new file mode 100644
-index 0000000..df7be69
+index 0000000..0a7e857
--- /dev/null
+++ b/boinc.te
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,199 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -6756,6 +6757,7 @@ index 0000000..df7be69
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
++corenet_tcp_connect_squid_port(boinc_t)
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
@@ -8639,10 +8641,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..d4d04d0
+index 0000000..da41141
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,186 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -8696,6 +8698,7 @@ index 0000000..d4d04d0
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
++fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
@@ -11857,19 +11860,18 @@ index 6f2896d..ca0b28a 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/corosync.fc b/corosync.fc
-index 3a6d7eb..a12daf2 100644
+index 3a6d7eb..1bb208a 100644
--- a/corosync.fc
+++ b/corosync.fc
-@@ -1,12 +1,17 @@
+@@ -1,12 +1,14 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+-/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
-+
- /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
- /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
@@ -19811,7 +19813,7 @@ index 0000000..a446210
+')
diff --git a/dspam.te b/dspam.te
new file mode 100644
-index 0000000..a37d7ea
+index 0000000..be45ad6
--- /dev/null
+++ b/dspam.te
@@ -0,0 +1,90 @@
@@ -19864,6 +19866,7 @@ index 0000000..a37d7ea
+
+manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
+manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
++manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
+
+manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t)
+files_tmp_filetrans(dspam_t, dspam_tmp_t, { sock_file })
@@ -19871,7 +19874,6 @@ index 0000000..a37d7ea
+# need to add the port tcp/10026 to corenetwork.te.in
+#allow dspam_t port_t:tcp_socket name_connect;
+
-+
+auth_use_nsswitch(dspam_t)
+
+# for RHEL5
@@ -23175,7 +23177,7 @@ index 00a19e3..20d0474 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..8973bed 100644
+index f5afe78..71ec3f4 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,1003 @@
@@ -24463,7 +24465,7 @@ index f5afe78..8973bed 100644
##
##
##
-@@ -140,51 +1242,274 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1242,278 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -24649,6 +24651,7 @@ index f5afe78..8973bed 100644
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
++ type dbus_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
+ type data_home_t, icc_data_home_t;
@@ -24659,6 +24662,7 @@ index f5afe78..8973bed 100644
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
@@ -24691,6 +24695,7 @@ index f5afe78..8973bed 100644
+gen_require(`
+ type config_home_t;
+ type cache_home_t;
++ type dbus_home_t;
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
@@ -24701,6 +24706,7 @@ index f5afe78..8973bed 100644
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
@@ -28436,7 +28442,7 @@ index 4198ff5..d1ab262 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index b29d8e2..6a6dcf0 100644
+index b29d8e2..f177074 100644
--- a/kdump.te
+++ b/kdump.te
@@ -15,15 +15,28 @@ files_config_file(kdump_etc_t)
@@ -28468,7 +28474,7 @@ index b29d8e2..6a6dcf0 100644
files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t)
-@@ -36,3 +49,87 @@ dev_read_framebuffer(kdump_t)
+@@ -36,3 +49,88 @@ dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
term_use_console(kdump_t)
@@ -28516,6 +28522,7 @@ index b29d8e2..6a6dcf0 100644
+files_getattr_all_dirs(kdumpctl_t)
+
+fs_getattr_all_fs(kdumpctl_t)
++fs_search_all(kdumpctl_t)
+
+application_executable_ioctl(kdumpctl_t)
+
@@ -33990,7 +33997,7 @@ index b397fde..c7c031d 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..91e3d11 100644
+index d4fcb75..9f560f2 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -34153,7 +34160,7 @@ index d4fcb75..91e3d11 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,57 +317,88 @@ optional_policy(`
+@@ -297,65 +317,98 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -34256,8 +34263,10 @@ index d4fcb75..91e3d11 100644
+dev_read_generic_usb_dev(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
++dev_read_realtime_clock(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -356,6 +407,7 @@ dev_write_sound(mozilla_plugin_t)
+ dev_read_sound(mozilla_plugin_t)
+ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -34265,7 +34274,7 @@ index d4fcb75..91e3d11 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +415,58 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +416,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -34276,6 +34285,7 @@ index d4fcb75..91e3d11 100644
fs_list_dos(mozilla_plugin_t)
-fs_read_dos_files(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
++fs_read_hugetlbfs_files(mozilla_plugin_t)
+application_exec(mozilla_plugin_t)
application_dontaudit_signull(mozilla_plugin_t)
@@ -34346,7 +34356,7 @@ index d4fcb75..91e3d11 100644
')
optional_policy(`
-@@ -422,24 +477,39 @@ optional_policy(`
+@@ -422,24 +479,39 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -34390,7 +34400,7 @@ index d4fcb75..91e3d11 100644
')
optional_policy(`
-@@ -447,10 +517,113 @@ optional_policy(`
+@@ -447,10 +519,113 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -34532,7 +34542,7 @@ index d72276f..cb8c563 100644
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/mpd.te b/mpd.te
-index 7f68872..26a8191 100644
+index 7f68872..d92aaa8 100644
--- a/mpd.te
+++ b/mpd.te
@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -34564,7 +34574,15 @@ index 7f68872..26a8191 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -101,7 +107,9 @@ auth_use_nsswitch(mpd_t)
+@@ -87,6 +93,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
+ corenet_sendrecv_pulseaudio_client_packets(mpd_t)
+ corenet_sendrecv_soundd_client_packets(mpd_t)
+
++dev_read_urand(mpd_t)
+ dev_read_sound(mpd_t)
+ dev_write_sound(mpd_t)
+ dev_read_sysfs(mpd_t)
+@@ -101,7 +108,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -34575,10 +34593,16 @@ index 7f68872..26a8191 100644
optional_policy(`
alsa_read_rw_config(mpd_t)
-@@ -122,5 +130,14 @@ optional_policy(`
+@@ -122,5 +131,20 @@ optional_policy(`
')
optional_policy(`
++ #needed by pulseaudio
++ systemd_read_logind_sessions_files(mpd_t)
++ systemd_login_read_pid_files(mpd_t)
++')
++
++optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
+')
+
@@ -42438,7 +42462,7 @@ index d883214..d6afa87 100644
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/openvpn.te b/openvpn.te
-index 66a52ee..2f2e069 100644
+index 66a52ee..6db0311 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
@@ -42470,7 +42494,7 @@ index 66a52ee..2f2e069 100644
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +61,15 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+@@ -58,9 +61,14 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
@@ -42479,7 +42503,6 @@ index 66a52ee..2f2e069 100644
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
-+
+manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file })
@@ -42488,7 +42511,7 @@ index 66a52ee..2f2e069 100644
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-@@ -68,11 +77,11 @@ kernel_read_kernel_sysctls(openvpn_t)
+@@ -68,11 +76,11 @@ kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
@@ -42501,7 +42524,7 @@ index 66a52ee..2f2e069 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -87,6 +96,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
+@@ -87,6 +95,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
@@ -42509,7 +42532,7 @@ index 66a52ee..2f2e069 100644
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -100,33 +110,39 @@ dev_read_urand(openvpn_t)
+@@ -100,33 +109,39 @@ dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
@@ -42558,7 +42581,7 @@ index 66a52ee..2f2e069 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +154,7 @@ optional_policy(`
+@@ -138,3 +153,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -42842,10 +42865,10 @@ index 0000000..e2c300a
+')
diff --git a/openvswitch.te b/openvswitch.te
new file mode 100644
-index 0000000..40ef82b
+index 0000000..41542fd
--- /dev/null
+++ b/openvswitch.te
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,85 @@
+policy_module(openvswitch, 1.0.0)
+
+########################################
@@ -42917,6 +42940,7 @@ index 0000000..40ef82b
+files_read_etc_files(openvswitch_t)
+
+fs_getattr_all_fs(openvswitch_t)
++fs_search_cgroup_dirs(openvswitch_t)
+
+auth_read_passwd(openvswitch_t)
+
@@ -53436,10 +53460,10 @@ index bf5efbf..b38b22d 100644
optional_policy(`
diff --git a/rgmanager.fc b/rgmanager.fc
-index 3c97ef0..48c4029 100644
+index 3c97ef0..578d460 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
-@@ -1,7 +1,19 @@
+@@ -1,7 +1,22 @@
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
@@ -53448,6 +53472,9 @@ index 3c97ef0..48c4029 100644
/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
++/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++
+/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
+/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
@@ -54808,7 +54835,7 @@ index 137605a..7624759 100644
+ ')
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..e236bbf 100644
+index 783f678..414434d 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -54821,7 +54848,7 @@ index 783f678..e236bbf 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,17 +46,31 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,35 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -54842,17 +54869,21 @@ index 783f678..e236bbf 100644
+files_manage_generic_locks(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
++
++logging_send_syslog_msg(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
-+logging_send_syslog_msg(rhsmcertd_t)
-+
+miscfiles_read_certs(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
+
+
+optional_policy(`
++ dmidecode_domtrans(rhsmcertd_t)
++')
++
++optional_policy(`
+ gnome_dontaudit_search_config(rhsmcertd_t)
+')
diff --git a/ricci.fc b/ricci.fc
@@ -59029,10 +59060,10 @@ index 0000000..f00e5c5
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..6b8775a
+index 0000000..5269454
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,456 @@
+@@ -0,0 +1,462 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -59455,6 +59486,12 @@ index 0000000..6b8775a
+')
+
+optional_policy(`
++ # needed by pulseaudio
++ systemd_read_logind_sessions_files(sandbox_web_type)
++ systemd_login_read_pid_files(sandbox_web_type)
++')
++
++optional_policy(`
+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
+')
+
@@ -60790,7 +60827,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..497c1b4 100644
+index 086cd5f..3ec58d6 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -60887,10 +60924,14 @@ index 086cd5f..497c1b4 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +129,27 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
++ abrt_dbus_chat(setroubleshootd_t)
++')
++
++optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
@@ -60911,7 +60952,7 @@ index 086cd5f..497c1b4 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,10 +172,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,10 +176,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -60927,7 +60968,7 @@ index 086cd5f..497c1b4 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,7 +187,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,7 +191,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -65540,16 +65581,17 @@ index 25eee43..621f343 100644
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/tftp.if b/tftp.if
-index 38bb312..0a40bc5 100644
+index 38bb312..d9fe23c 100644
--- a/tftp.if
+++ b/tftp.if
-@@ -13,9 +13,33 @@
+@@ -13,9 +13,34 @@
interface(`tftp_read_content',`
gen_require(`
type tftpdir_t;
+ type tftpdir_rw_t;
')
++ list_dirs_pattern($1, tftpdir_t, tftpdir_t)
read_files_pattern($1, tftpdir_t, tftpdir_t)
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+
@@ -65577,7 +65619,7 @@ index 38bb312..0a40bc5 100644
')
########################################
-@@ -40,6 +64,91 @@ interface(`tftp_manage_rw_content',`
+@@ -40,6 +65,91 @@ interface(`tftp_manage_rw_content',`
########################################
##
@@ -65669,7 +65711,7 @@ index 38bb312..0a40bc5 100644
## All of the rules required to administrate
## an tftp environment
##
-@@ -55,8 +164,13 @@ interface(`tftp_admin',`
+@@ -55,8 +165,13 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
@@ -65684,7 +65726,7 @@ index 38bb312..0a40bc5 100644
admin_pattern($1, tftpdir_rw_t)
-@@ -64,4 +178,6 @@ interface(`tftp_admin',`
+@@ -64,4 +179,6 @@ interface(`tftp_admin',`
files_list_pids($1)
admin_pattern($1, tftpd_var_run_t)
@@ -69544,7 +69586,7 @@ index 6f0736b..be0e5a5 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..8bca6b2 100644
+index 947bbc6..83c3900 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,94 @@ policy_module(virt, 1.5.0)
@@ -70025,11 +70067,12 @@ index 947bbc6..8bca6b2 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +482,32 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +482,33 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
++logging_stream_connect_syslog(virtd_t)
+
+selinux_validate_context(virtd_t)
@@ -70058,7 +70101,7 @@ index 947bbc6..8bca6b2 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +526,10 @@ optional_policy(`
+@@ -322,6 +527,10 @@ optional_policy(`
')
optional_policy(`
@@ -70069,7 +70112,7 @@ index 947bbc6..8bca6b2 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +543,34 @@ optional_policy(`
+@@ -335,19 +544,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -70105,7 +70148,7 @@ index 947bbc6..8bca6b2 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +585,12 @@ optional_policy(`
+@@ -362,6 +586,12 @@ optional_policy(`
')
optional_policy(`
@@ -70118,7 +70161,7 @@ index 947bbc6..8bca6b2 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +598,11 @@ optional_policy(`
+@@ -369,11 +599,11 @@ optional_policy(`
')
optional_policy(`
@@ -70135,7 +70178,7 @@ index 947bbc6..8bca6b2 100644
')
optional_policy(`
-@@ -384,6 +613,7 @@ optional_policy(`
+@@ -384,6 +614,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -70143,7 +70186,7 @@ index 947bbc6..8bca6b2 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -403,34 +633,48 @@ optional_policy(`
+@@ -403,34 +634,48 @@ optional_policy(`
# virtual domains common policy
#
@@ -70199,7 +70242,7 @@ index 947bbc6..8bca6b2 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,10 +682,11 @@ dev_write_sound(virt_domain)
+@@ -438,10 +683,11 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -70212,7 +70255,7 @@ index 947bbc6..8bca6b2 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,23 +694,521 @@ files_search_all(virt_domain)
+@@ -449,23 +695,525 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -70266,12 +70309,14 @@ index 947bbc6..8bca6b2 100644
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
-+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
++ps_process_pattern(virsh_t, svirt_lxc_domain)
++
+can_exec(virsh_t, virsh_exec_t)
+virt_domtrans(virsh_t)
+virt_manage_images(virsh_t)
@@ -70410,6 +70455,8 @@ index 947bbc6..8bca6b2 100644
+# virt_lxc local policy
+#
+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
++allow virtd_lxc_t self:capability2 compromise_kernel;
++
+allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -70512,7 +70559,7 @@ index 947bbc6..8bca6b2 100644
+#
+# virt_lxc_domain local policy
+#
-+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
++allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
+
+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_lxc_domain:process { signal_perms };
@@ -72563,16 +72610,17 @@ index 8c0bd70..24dd920 100644
sysnet_dns_name_resolve(zabbix_agent_t)
diff --git a/zarafa.fc b/zarafa.fc
-index 3defaa1..560e6e3 100644
+index 3defaa1..a451e97 100644
--- a/zarafa.fc
+++ b/zarafa.fc
-@@ -8,19 +8,23 @@
+@@ -8,19 +8,24 @@
/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
-/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 85b60cb..da03fb8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 52%{?dist}
+Release: 53%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -523,6 +523,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Nov 12 2012 Miroslav Grepl 3.11.1-53
+- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file
+- Dontaudit setfiles reading /dev/random
+- On initial boot gnomeclock is going to need to be set buy gdm
+- Fix tftp_read_content() interface
+- Random apps looking at kernel file systems
+- Testing virt with lxc requiers additional access for virsh_t
+- New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container
+- Allow MPD to read /dev/radnom
+- Allow sandbox_web_type to read logind files which needs to read pulseaudio
+- Allow mozilla plugins to read /dev/hpet
+- Add labeling for /var/lib/zarafa-webap
+- Allow BOINC client to use an HTTP proxy for all connections
+- Allow rhsmertd to domain transition to dmidecod
+- Allow setroubleshootd to send D-Bus msg to ABRT
+
* Thu Nov 8 2012 Miroslav Grepl 3.11.1-52
- Define usbtty_device_t as a term_tty
- Allow svnserve to accept a connection