diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d114f36..8694412 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2376,7 +2376,7 @@ index 99e3903..7270808 100644
  
  ########################################
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..34e1e8c 100644
+index d555767..9365051 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2658,7 +2658,7 @@ index d555767..34e1e8c 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,15 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,16 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2667,6 +2667,7 @@ index d555767..34e1e8c 100644
  optional_policy(`
 -	nscd_run(passwd_t, passwd_roles)
 +	gnome_exec_keyringd(passwd_t)
++    gnome_manage_cache_home_dir(passwd_t)
 +')
 +
 +optional_policy(`
@@ -2675,7 +2676,7 @@ index d555767..34e1e8c 100644
  ')
  
  ########################################
-@@ -398,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -2688,7 +2689,7 @@ index d555767..34e1e8c 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -2696,7 +2697,7 @@ index d555767..34e1e8c 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -423,19 +469,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +470,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -2718,7 +2719,7 @@ index d555767..34e1e8c 100644
  ')
  
  ########################################
-@@ -443,7 +487,8 @@ optional_policy(`
+@@ -443,7 +488,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -2728,7 +2729,7 @@ index d555767..34e1e8c 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -458,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -2739,7 +2740,7 @@ index d555767..34e1e8c 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -465,36 +514,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +515,36 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -2788,7 +2789,7 @@ index d555767..34e1e8c 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +554,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +555,36 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -2839,7 +2840,7 @@ index d555767..34e1e8c 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -542,7 +594,12 @@ optional_policy(`
+@@ -542,7 +595,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -2853,7 +2854,7 @@ index d555767..34e1e8c 100644
  ')
  
  optional_policy(`
-@@ -550,6 +607,11 @@ optional_policy(`
+@@ -550,6 +608,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -2865,7 +2866,7 @@ index d555767..34e1e8c 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -559,3 +621,12 @@ optional_policy(`
+@@ -559,3 +622,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -5170,7 +5171,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..b48abbe 100644
+index 4edc40d..f13d33f 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5272,7 +5273,7 @@ index 4edc40d..b48abbe 100644
  network_port(ctdb, tcp,4379,s0, udp,4397,s0)
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -119,18 +141,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,19 +141,25 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
  network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
@@ -5296,9 +5297,11 @@ index 4edc40d..b48abbe 100644
  network_port(git, tcp,9418,s0, udp,9418,s0)
 +network_port(glance, tcp,9292,s0, udp,9292,s0)
  network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
++network_port(gluster, tcp,24007,s0, tcp, 38465-38469,s0)
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
-@@ -139,45 +166,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(hadoop_datanode, tcp,50010,s0)
+@@ -139,45 +167,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5364,7 +5367,7 @@ index 4edc40d..b48abbe 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,24 +218,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,24 +219,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5400,7 +5403,7 @@ index 4edc40d..b48abbe 100644
  network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +256,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5450,7 +5453,7 @@ index 4edc40d..b48abbe 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +304,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5461,7 +5464,7 @@ index 4edc40d..b48abbe 100644
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(ups, tcp,3493,s0)
-@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +316,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5474,7 +5477,7 @@ index 4edc40d..b48abbe 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +340,16 @@ network_port(zope, tcp,8021,s0)
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
  # these entries just cover any remaining reserved ports not otherwise declared.
  
@@ -5493,7 +5496,7 @@ index 4edc40d..b48abbe 100644
  
  ########################################
  #
-@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +382,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5502,7 +5505,7 @@ index 4edc40d..b48abbe 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +396,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -8404,7 +8407,7 @@ index 6a1e4d1..c691385 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..19c3e01 100644
+index cf04cb5..d02fa9e 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8532,7 +8535,7 @@ index cf04cb5..19c3e01 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,287 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,292 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -8602,6 +8605,10 @@ index cf04cb5..19c3e01 100644
 +')
 +
 +optional_policy(`
++    apcupsd_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
 +	bootloader_filetrans_config(unconfined_domain_type)
 +')
 +
@@ -8707,6 +8714,7 @@ index cf04cb5..19c3e01 100644
 +
 +optional_policy(`
 +	ssh_filetrans_admin_home_content(unconfined_domain_type)
++    ssh_filetrans_keys(unconfined_domain_type)
 +')
 +
 +optional_policy(`
@@ -17047,10 +17055,10 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..c3275cb 100644
+index 88d0028..e7c0869 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,81 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,82 @@ policy_module(sysadm, 2.5.1)
  # Declarations
  #
  
@@ -17139,11 +17147,12 @@ index 88d0028..c3275cb 100644
 +
 +optional_policy(`
 +	ssh_filetrans_admin_home_content(sysadm_t)
++    ssh_filetrans_keys(sysadm_t)
 +')
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -55,13 +97,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +98,7 @@ ifdef(`distro_gentoo',`
  	init_exec_rc(sysadm_t)
  ')
  
@@ -17158,7 +17167,7 @@ index 88d0028..c3275cb 100644
  	domain_ptrace_all_domains(sysadm_t)
  ')
  
-@@ -71,9 +107,9 @@ optional_policy(`
+@@ -71,9 +108,9 @@ optional_policy(`
  
  optional_policy(`
  	apache_run_helper(sysadm_t, sysadm_r)
@@ -17169,7 +17178,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -87,6 +123,7 @@ optional_policy(`
+@@ -87,6 +124,7 @@ optional_policy(`
  
  optional_policy(`
  	asterisk_stream_connect(sysadm_t)
@@ -17177,7 +17186,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -110,11 +147,17 @@ optional_policy(`
+@@ -110,11 +148,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17195,7 +17204,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -122,11 +165,19 @@ optional_policy(`
+@@ -122,11 +166,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17217,7 +17226,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -140,6 +191,10 @@ optional_policy(`
+@@ -140,6 +192,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17228,7 +17237,7 @@ index 88d0028..c3275cb 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,11 +211,11 @@ optional_policy(`
+@@ -156,11 +212,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17242,7 +17251,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -179,6 +234,13 @@ optional_policy(`
+@@ -179,6 +235,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -17256,7 +17265,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -186,15 +248,20 @@ optional_policy(`
+@@ -186,15 +249,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17280,7 +17289,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -214,22 +281,20 @@ optional_policy(`
+@@ -214,22 +282,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17309,7 +17318,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -241,14 +306,27 @@ optional_policy(`
+@@ -241,14 +307,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17337,7 +17346,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -256,10 +334,20 @@ optional_policy(`
+@@ -256,10 +335,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17358,7 +17367,7 @@ index 88d0028..c3275cb 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +358,36 @@ optional_policy(`
+@@ -270,31 +359,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17402,7 +17411,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -319,12 +412,18 @@ optional_policy(`
+@@ -319,12 +413,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17422,7 +17431,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -349,7 +448,18 @@ optional_policy(`
+@@ -349,7 +449,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17442,7 +17451,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -360,19 +470,15 @@ optional_policy(`
+@@ -360,19 +471,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17464,7 +17473,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -384,10 +490,6 @@ optional_policy(`
+@@ -384,10 +491,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17475,7 +17484,7 @@ index 88d0028..c3275cb 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +497,9 @@ optional_policy(`
+@@ -395,6 +498,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -17485,7 +17494,7 @@ index 88d0028..c3275cb 100644
  ')
  
  optional_policy(`
-@@ -402,31 +507,34 @@ optional_policy(`
+@@ -402,31 +508,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17526,7 +17535,7 @@ index 88d0028..c3275cb 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -439,10 +547,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +548,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17537,7 +17546,7 @@ index 88d0028..c3275cb 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -463,15 +567,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +568,75 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19378,13 +19387,15 @@ index 346d011..3e23acb 100644
 +	')
 +')
 diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66..21c96cf 100644
+index 76d9f66..02d4ea6 100644
 --- a/policy/modules/services/ssh.fc
 +++ b/policy/modules/services/ssh.fc
-@@ -1,4 +1,16 @@
+@@ -1,16 +1,36 @@
  HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +HOME_DIR/\.shosts			gen_context(system_u:object_r:ssh_home_t,s0)
-+
+ 
+-/etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
+-/etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
 +/var/lib/amanda/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
 +/var/lib/gitolite/\.ssh(/.*)?	gen_context(system_u:object_r:ssh_home_t,s0)
 +/var/lib/gitolite3/\.ssh(/.*)?	gen_context(system_u:object_r:ssh_home_t,s0)
@@ -19395,10 +19406,13 @@ index 76d9f66..21c96cf 100644
 +/var/lib/pgsql/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
 +
 +/etc/rc\.d/init\.d/sshd        --  gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
++
++/etc/ssh/primes			        --	gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host.*_key		    --	gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host.*_key\.pub    --	gen_context(system_u:object_r:sshd_key_t,s0)
  
- /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -8,9 +20,16 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+ /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
  /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
  
  /usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
@@ -19416,7 +19430,7 @@ index 76d9f66..21c96cf 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..95ae197 100644
+index fe0c682..225aaa7 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -19964,7 +19978,7 @@ index fe0c682..95ae197 100644
  ')
  
  ######################################
-@@ -754,3 +873,124 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +873,149 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -20032,6 +20046,31 @@ index fe0c682..95ae197 100644
 +
 +########################################
 +## <summary>
++##	Create .ssh directory in the user home directory
++##	with an correct label.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ssh_filetrans_keys',`
++	
++	gen_require(`
++		type sshd_key_t;
++	')
++
++    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key")
++    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key")
++    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key")
++    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub")
++    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub")
++    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub")
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to read and
 +##	write the sshd pty type.  
 +## </summary>
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d9abd45..9ddeed7 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6756,10 +6756,10 @@ index 1a82e29..ffff859 100644
 +    corenet_tcp_connect_osapi_compute_port(httpd_t)
  ')
 diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13..2da2368 100644
+index 5ec0e13..1c37fe1 100644
 --- a/apcupsd.fc
 +++ b/apcupsd.fc
-@@ -1,5 +1,7 @@
+@@ -1,10 +1,13 @@
  /etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
  
 +/usr/lib/systemd/system/apcupsd.*  -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
@@ -6767,8 +6767,14 @@ index 5ec0e13..2da2368 100644
  /sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
  
  /usr/sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+ 
+ /var/lock/subsys/apcupsd	--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
++/var/lock/LCK..			--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
+ 
+ /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+ /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..5189407 100644
+index f3c0aba..7b24e98 100644
 --- a/apcupsd.if
 +++ b/apcupsd.if
 @@ -125,6 +125,29 @@ interface(`apcupsd_cgi_script_domtrans',`
@@ -6819,7 +6825,7 @@ index f3c0aba..5189407 100644
  	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +193,8 @@ interface(`apcupsd_admin',`
+@@ -165,4 +193,28 @@ interface(`apcupsd_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, apcupsd_var_run_t)
@@ -6827,6 +6833,26 @@ index f3c0aba..5189407 100644
 +	apcupsd_systemctl($1)
 +	admin_pattern($1, apcupsd_unit_file_t)
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++##	Create configuration files in /var/lock 
++##	with a named file type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`apcupsd_filetrans_named_content',`
++	gen_require(`
++		type apcupsd_lock_t;
++	')
++
++	files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
++	files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
  ')
 diff --git a/apcupsd.te b/apcupsd.te
 index b236327..f194ee1 100644
@@ -13604,13 +13630,32 @@ index c086302..4f33119 100644
  
  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 diff --git a/couchdb.if b/couchdb.if
-index 83d6744..6afc08d 100644
+index 83d6744..b934cb7 100644
 --- a/couchdb.if
 +++ b/couchdb.if
-@@ -2,6 +2,25 @@
+@@ -2,6 +2,44 @@
  
  ########################################
  ## <summary>
++##	Allow to read couchdb log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`couchdb_read_log_files',`
++	gen_require(`
++		type couchdb_log_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
 +##	Allow to read couchdb lib files.
 +## </summary>
 +## <param name="domain">
@@ -13633,7 +13678,7 @@ index 83d6744..6afc08d 100644
  ##	All of the rules required to
  ##	administrate an couchdb environment.
  ## </summary>
-@@ -10,6 +29,108 @@
+@@ -10,6 +48,108 @@
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -13742,7 +13787,7 @@ index 83d6744..6afc08d 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -19,14 +140,19 @@
+@@ -19,14 +159,19 @@
  #
  interface(`couchdb_admin',`
  	gen_require(`
@@ -13763,7 +13808,7 @@ index 83d6744..6afc08d 100644
  	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +172,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +191,13 @@ interface(`couchdb_admin',`
  
  	files_search_pids($1)
  	admin_pattern($1, couchdb_var_run_t)
@@ -21577,7 +21622,7 @@ index dbcac59..66d42bb 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..457c894 100644
+index a7bfaf0..fe94a6c 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -1,4 +1,4 @@
@@ -21710,16 +21755,19 @@ index a7bfaf0..457c894 100644
  logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
  
  manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -122,43 +126,33 @@ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -120,45 +124,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
- 
+-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
+-
 -can_exec(dovecot_t, dovecot_exec_t)
 -
 -allow dovecot_t dovecot_auth_t:process signal;
 -
 -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
--
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
+ 
 -corenet_all_recvfrom_unlabeled(dovecot_t)
  corenet_all_recvfrom_netlabel(dovecot_t)
  corenet_tcp_sendrecv_generic_if(dovecot_t)
@@ -21876,10 +21924,10 @@ index a7bfaf0..457c894 100644
 +files_read_usr_symlinks(dovecot_auth_t)
 +files_read_var_lib_files(dovecot_auth_t)
 +files_search_tmp(dovecot_auth_t)
++
++fs_getattr_xattr_fs(dovecot_auth_t)
  
 -seutil_dontaudit_search_config(dovecot_auth_t)
-+fs_getattr_xattr_fs(dovecot_auth_t)
-+
 +init_rw_utmp(dovecot_auth_t)
  
  sysnet_use_ldap(dovecot_auth_t)
@@ -21898,9 +21946,18 @@ index a7bfaf0..457c894 100644
  	mysql_stream_connect(dovecot_auth_t)
  	mysql_read_config(dovecot_auth_t)
  	mysql_tcp_connect(dovecot_auth_t)
-@@ -272,14 +279,21 @@ optional_policy(`
+@@ -271,15 +278,30 @@ optional_policy(`
+ ')
  
  optional_policy(`
++	dbus_system_bus_client(dovecot_auth_t)
++	optional_policy(`
++		oddjob_dbus_chat(dovecot_auth_t)
++		oddjob_domtrans_mkhomedir(dovecot_auth_t)
++	')
++')
++
++optional_policy(`
  	postfix_manage_private_sockets(dovecot_auth_t)
 +	postfix_rw_inherited_master_pipes(dovecot_deliver_t)
  	postfix_search_spool(dovecot_auth_t)
@@ -21921,7 +21978,7 @@ index a7bfaf0..457c894 100644
  allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
  
  append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +303,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +311,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
  files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
  
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -21981,7 +22038,7 @@ index a7bfaf0..457c894 100644
  	mta_read_queue(dovecot_deliver_t)
  ')
  
-@@ -326,5 +347,6 @@ optional_policy(`
+@@ -326,5 +355,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24944,10 +25001,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..ab1fd22
+index 0000000..eaf0f2a
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,158 @@
 +policy_module(glusterfs, 1.0.1)
 +
 +## <desc>
@@ -25005,8 +25062,8 @@ index 0000000..ab1fd22
 +# Local policy
 +#
 +
-+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-+allow glusterd_t self:process { setrlimit signal };
++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid };
++allow glusterd_t self:process { getcap setcap setrlimit signal };
 +allow glusterd_t self:fifo_file rw_fifo_file_perms;
 +allow glusterd_t self:tcp_socket { accept listen };
 +allow glusterd_t self:unix_stream_socket { accept listen connectto };
@@ -25052,10 +25109,18 @@ index 0000000..ab1fd22
 +corenet_tcp_bind_generic_node(glusterd_t)
 +corenet_udp_bind_generic_node(glusterd_t)
 +
-+# Too coarse?
++corenet_tcp_connect_gluster_port(glusterd_t)
++corenet_tcp_bind_gluster_port(glusterd_t)
++
++# replacement for rpc.mountd
 +corenet_sendrecv_all_server_packets(glusterd_t)
 +corenet_tcp_bind_all_reserved_ports(glusterd_t)
 +corenet_udp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_bind_nfs_port(glusterd_t)
++corenet_udp_bind_nfs_port(glusterd_t)
++corenet_udp_bind_mountd_port(glusterd_t)
++corenet_tcp_bind_mountd_port(glusterd_t)
 +corenet_udp_bind_ipp_port(glusterd_t)
 +
 +corenet_sendrecv_all_client_packets(glusterd_t)
@@ -25094,6 +25159,10 @@ index 0000000..ab1fd22
 +	files_manage_non_security_dirs(glusterd_t)
 +	files_manage_non_security_files(glusterd_t)
 +')
++
++optional_policy(`
++    rpc_domtrans_rpcd(glusterd_t)
++')
 diff --git a/glusterfs.fc b/glusterfs.fc
 deleted file mode 100644
 index 4bd6ade..0000000
@@ -37042,10 +37111,10 @@ index 0000000..8d0e473
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 0000000..1446e6a
+index 0000000..895f325
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,303 @@
+@@ -0,0 +1,305 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@@ -37261,6 +37330,8 @@ index 0000000..1446e6a
 +	mock_domtrans($1)
 +	role $2 types mock_t;
 +	role $2 types mock_build_t;
++
++	mount_run(mock_t, $2)
 +')
 +
 +########################################
@@ -37351,10 +37422,10 @@ index 0000000..1446e6a
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..67b8b3d
+index 0000000..7245033
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,273 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -37390,6 +37461,9 @@ index 0000000..67b8b3d
 +type mock_var_lib_t;
 +files_type(mock_var_lib_t)
 +
++type mock_var_run_t;
++files_pid_file(mock_var_run_t)
++
 +type mock_etc_t;
 +files_config_file(mock_etc_t)
 +
@@ -37432,6 +37506,12 @@ index 0000000..67b8b3d
 +allow mock_t mock_var_lib_t:dir relabel_dir_perms;
 +allow mock_t mock_var_lib_t:file relabel_file_perms;
 +
++manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
++files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file })
++
 +kernel_read_irq_sysctls(mock_t)
 +kernel_read_system_state(mock_t)
 +kernel_read_network_state(mock_t)
@@ -57177,7 +57257,7 @@ index 2e23946..589bbf2 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..93a04c2 100644
+index 191a66f..5acf87c 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -1,4 +1,4 @@
@@ -57554,7 +57634,7 @@ index 191a66f..93a04c2 100644
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,35 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
  
  ########################################
  #
@@ -57594,12 +57674,14 @@ index 191a66f..93a04c2 100644
 -corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
 -corenet_tcp_connect_kismet_port(postfix_cleanup_t)
 -corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
+-
+-mta_read_aliases(postfix_cleanup_t)
 +# allow postfix to connect to sqlgrey
 +corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
  
- mta_read_aliases(postfix_cleanup_t)
- 
-@@ -393,36 +289,53 @@ optional_policy(`
+ optional_policy(`
+ 	mailman_read_data_files(postfix_cleanup_t)
+@@ -393,36 +287,50 @@ optional_policy(`
  
  ########################################
  #
@@ -57629,11 +57711,9 @@ index 191a66f..93a04c2 100644
  
  logging_dontaudit_search_logs(postfix_local_t)
  
--mta_delete_spool(postfix_local_t)
- mta_read_aliases(postfix_local_t)
-+mta_delete_spool(postfix_local_t)
-+# For reading spamassasin
- mta_read_config(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+-mta_read_aliases(postfix_local_t)
+-mta_read_config(postfix_local_t)
 +# Handle vacation script
  mta_send_mail(postfix_local_t)
  
@@ -57661,7 +57741,7 @@ index 191a66f..93a04c2 100644
  ')
  
  optional_policy(`
-@@ -434,6 +347,7 @@ optional_policy(`
+@@ -434,6 +342,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57669,7 +57749,7 @@ index 191a66f..93a04c2 100644
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
  	mailman_read_log(postfix_local_t)
-@@ -444,6 +358,10 @@ optional_policy(`
+@@ -444,6 +353,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57680,7 +57760,7 @@ index 191a66f..93a04c2 100644
  	procmail_domtrans(postfix_local_t)
  ')
  
-@@ -458,15 +376,17 @@ optional_policy(`
+@@ -458,15 +371,17 @@ optional_policy(`
  
  ########################################
  #
@@ -57704,7 +57784,7 @@ index 191a66f..93a04c2 100644
  
  manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
  manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +396,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +391,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -57724,7 +57804,7 @@ index 191a66f..93a04c2 100644
  
  corecmd_list_bin(postfix_map_t)
  corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +413,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +408,6 @@ corecmd_read_bin_pipes(postfix_map_t)
  corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
@@ -57732,7 +57812,7 @@ index 191a66f..93a04c2 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -500,21 +420,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +415,22 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -57758,7 +57838,7 @@ index 191a66f..93a04c2 100644
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +445,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +440,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  
@@ -57778,7 +57858,7 @@ index 191a66f..93a04c2 100644
  #
  
  allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +496,26 @@ optional_policy(`
+@@ -576,19 +491,26 @@ optional_policy(`
  
  ########################################
  #
@@ -57810,7 +57890,7 @@ index 191a66f..93a04c2 100644
  
  term_dontaudit_use_all_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +530,7 @@ optional_policy(`
+@@ -603,10 +525,7 @@ optional_policy(`
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
@@ -57822,7 +57902,7 @@ index 191a66f..93a04c2 100644
  optional_policy(`
  	fstools_read_pipes(postfix_postdrop_t)
  ')
-@@ -621,17 +545,24 @@ optional_policy(`
+@@ -621,17 +540,24 @@ optional_policy(`
  
  #######################################
  #
@@ -57850,7 +57930,7 @@ index 191a66f..93a04c2 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +578,77 @@ optional_policy(`
+@@ -647,67 +573,77 @@ optional_policy(`
  
  ########################################
  #
@@ -57946,7 +58026,7 @@ index 191a66f..93a04c2 100644
  ')
  
  optional_policy(`
-@@ -720,24 +661,27 @@ optional_policy(`
+@@ -720,29 +656,30 @@ optional_policy(`
  
  ########################################
  #
@@ -57980,7 +58060,12 @@ index 191a66f..93a04c2 100644
  fs_getattr_all_dirs(postfix_smtpd_t)
  fs_getattr_all_fs(postfix_smtpd_t)
  
-@@ -754,6 +698,7 @@ optional_policy(`
+-mta_read_aliases(postfix_smtpd_t)
+-
+ optional_policy(`
+ 	dovecot_stream_connect_auth(postfix_smtpd_t)
+ 	dovecot_stream_connect(postfix_smtpd_t)
+@@ -754,6 +691,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -57988,7 +58073,7 @@ index 191a66f..93a04c2 100644
  ')
  
  optional_policy(`
-@@ -764,31 +709,99 @@ optional_policy(`
+@@ -764,31 +702,99 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -58015,11 +58100,9 @@ index 191a66f..93a04c2 100644
 +corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
  
-+
- mta_read_aliases(postfix_virtual_t)
+-mta_read_aliases(postfix_virtual_t)
  mta_delete_spool(postfix_virtual_t)
-+# For reading spamassasin
- mta_read_config(postfix_virtual_t)
+-mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
  
  userdom_manage_user_home_dirs(postfix_virtual_t)
@@ -58084,6 +58167,10 @@ index 191a66f..93a04c2 100644
 +init_sigchld(postfix_domain)
 +init_dontaudit_rw_stream_socket(postfix_domain)
 +
++# For reading spamassasin
++mta_read_config(postfix_domain)
++mta_read_aliases(postfix_domain)
++
 +miscfiles_read_generic_certs(postfix_domain)
 +
 +userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
@@ -65212,7 +65299,7 @@ index c5ad6de..c67dbef 100644
  
  /var/run/rabbitmq(/.*)?	gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
 diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..7b56492 100644
+index 3698b51..2d320e6 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
 @@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -65233,7 +65320,7 @@ index 3698b51..7b56492 100644
  corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
  corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
  corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-@@ -68,20 +72,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +72,29 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
  corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
  
@@ -65254,7 +65341,8 @@ index 3698b51..7b56492 100644
  
 +optional_policy(`
 +    couchdb_read_conf_files(rabbitmq_beam_t)
-+    couchdb_read_lib_files(rabbitmq_beam_t)
++    couchdb_read_log_files(rabbitmq_beam_t)
++    couchdb_manage_lib_files(rabbitmq_beam_t)
 +')
 +
  ########################################
@@ -65266,7 +65354,7 @@ index 3698b51..7b56492 100644
  allow rabbitmq_epmd_t self:process signal;
  allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +111,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +112,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
  corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
  
@@ -71859,7 +71947,7 @@ index 0628d50..84f2fd7 100644
 +	allow rpm_script_t $1:process sigchld;
  ')
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..94b945c 100644
+index 5cbe81c..90177fd 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
@@ -72135,7 +72223,7 @@ index 5cbe81c..94b945c 100644
  allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
 -
 -allow rpm_script_t rpm_t:netlink_route_socket { read write };
-+allow rpm_script_t self:netlink_audit_socket create_socket_perms;
++allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
  
  allow rpm_script_t rpm_tmp_t:file read_file_perms;
  
@@ -84951,7 +85039,7 @@ index 5406b6e..dc5b46e 100644
  	admin_pattern($1, tgtd_tmpfs_t)
  ')
 diff --git a/tgtd.te b/tgtd.te
-index c93c973..08aef1e 100644
+index c93c973..b04d201 100644
 --- a/tgtd.te
 +++ b/tgtd.te
 @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -84959,7 +85047,7 @@ index c93c973..08aef1e 100644
  #
  
 -allow tgtd_t self:capability sys_resource;
-+allow tgtd_t self:capability { dac_override sys_resource };
++allow tgtd_t self:capability { dac_override sys_resource sys_rawio sys_admin };
  allow tgtd_t self:capability2 block_suspend;
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -84971,7 +85059,7 @@ index c93c973..08aef1e 100644
  corenet_tcp_sendrecv_generic_if(tgtd_t)
  corenet_tcp_sendrecv_generic_node(tgtd_t)
  corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,7 +68,7 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
  
  dev_read_sysfs(tgtd_t)
  
@@ -84980,7 +85068,9 @@ index c93c973..08aef1e 100644
  
  fs_read_anon_inodefs_files(tgtd_t)
  
-@@ -77,8 +76,6 @@ storage_manage_fixed_disk(tgtd_t)
+ storage_manage_fixed_disk(tgtd_t)
++storage_read_scsi_generic(tgtd_t)
++storage_write_scsi_generic(tgtd_t)
  
  logging_send_syslog_msg(tgtd_t)
  
@@ -84991,10 +85081,10 @@ index c93c973..08aef1e 100644
  ')
 diff --git a/thin.fc b/thin.fc
 new file mode 100644
-index 0000000..7f4bce8
+index 0000000..1f8a908
 --- /dev/null
 +++ b/thin.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
 +/usr/bin/thin		--	gen_context(system_u:object_r:thin_exec_t,s0)
 +
 +/usr/bin/aeolus-configserver-thinwrapper	--	gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
@@ -85006,12 +85096,13 @@ index 0000000..7f4bce8
 +
 +/var/run/aeolus-configserver(/.*)?	gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
 +/var/run/aeolus/thin\.pid	--	gen_context(system_u:object_r:thin_var_run_t,s0)
++/var/run/thin(/.*)?		     gen_context(system_u:object_r:thin_var_run_t,s0)
 diff --git a/thin.if b/thin.if
 new file mode 100644
-index 0000000..b9f811d
+index 0000000..5e3637e
 --- /dev/null
 +++ b/thin.if
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,64 @@
 +## <summary>thin policy</summary>
 +
 +#######################################
@@ -85076,14 +85167,12 @@ index 0000000..b9f811d
 +	files_search_pids($1)
 +	stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t)
 +')
-+
-+
 diff --git a/thin.te b/thin.te
 new file mode 100644
-index 0000000..dda7934
+index 0000000..ff282dc
 --- /dev/null
 +++ b/thin.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
 +policy_module(thin, 1.0)
 +
 +########################################
@@ -85169,14 +85258,15 @@ index 0000000..dda7934
 +manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
 +logging_log_filetrans(thin_t, thin_log_t, { file dir })
 +
++manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t)
 +manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
 +manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
-+files_pid_filetrans(thin_t, thin_var_run_t, { file })
++files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file })
 +
 +corenet_tcp_bind_ntop_port(thin_t)
 +corenet_tcp_connect_postgresql_port(thin_t)
 +
-+
 +#######################################
 +#
 +# thin aeolus configserver local policy
@@ -89832,10 +89922,10 @@ index 9dec06c..378880d 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..99dd3a5 100644
+index 1f22fba..6d3d147 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,94 +1,98 @@
+@@ -1,94 +1,97 @@
 -policy_module(virt, 1.6.10)
 +policy_module(virt, 1.5.0)
  
@@ -89843,7 +89933,6 @@ index 1f22fba..99dd3a5 100644
  #
  # Declarations
  #
- 
 +attribute virsh_transition_domain;
 +attribute virt_ptynode;
 +attribute virt_domain;
@@ -89860,7 +89949,7 @@ index 1f22fba..99dd3a5 100644
 +files_type(svirt_image_t)
 +dev_node(svirt_image_t)
 +dev_associate_sysfs(svirt_image_t)
-+
+ 
  ## <desc>
 -##	<p>
 -##	Determine whether confined virtual guests
@@ -89986,7 +90075,7 @@ index 1f22fba..99dd3a5 100644
  
  type virt_cache_t alias svirt_cache_t;
  files_type(virt_cache_t)
-@@ -105,27 +109,25 @@ userdom_user_home_content(virt_home_t)
+@@ -105,27 +108,25 @@ userdom_user_home_content(virt_home_t)
  type svirt_home_t;
  userdom_user_home_content(svirt_home_t)
  
@@ -90020,7 +90109,7 @@ index 1f22fba..99dd3a5 100644
  
  type virt_var_run_t;
  files_pid_file(virt_var_run_t)
-@@ -139,9 +141,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -139,9 +140,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
  domain_obj_id_change_exemption(virtd_t)
  domain_subj_id_change_exemption(virtd_t)
  
@@ -90038,7 +90127,7 @@ index 1f22fba..99dd3a5 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -155,290 +165,134 @@ type virt_qmf_exec_t;
+@@ -155,290 +164,134 @@ type virt_qmf_exec_t;
  init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
  
  type virt_bridgehelper_t;
@@ -90302,7 +90391,9 @@ index 1f22fba..99dd3a5 100644
 -
 -dontaudit svirt_t virt_content_t:file write_file_perms;
 -dontaudit svirt_t virt_content_t:dir rw_dir_perms;
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -append_files_pattern(svirt_t, virt_home_t, virt_home_t)
 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -90331,9 +90422,7 @@ index 1f22fba..99dd3a5 100644
 -corenet_sendrecv_all_server_packets(svirt_t)
 -corenet_udp_bind_all_ports(svirt_t)
 -corenet_tcp_bind_all_ports(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -corenet_sendrecv_all_client_packets(svirt_t)
 -corenet_tcp_connect_all_ports(svirt_t)
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -90409,7 +90498,7 @@ index 1f22fba..99dd3a5 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +302,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +301,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -90455,7 +90544,7 @@ index 1f22fba..99dd3a5 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +336,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +335,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -90476,7 +90565,7 @@ index 1f22fba..99dd3a5 100644
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +348,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +347,7 @@ kernel_read_kernel_sysctls(virtd_t)
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  kernel_setsched(virtd_t)
@@ -90484,7 +90573,7 @@ index 1f22fba..99dd3a5 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -520,24 +356,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +355,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -90512,7 +90601,7 @@ index 1f22fba..99dd3a5 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -548,22 +376,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +375,23 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -90541,7 +90630,7 @@ index 1f22fba..99dd3a5 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +423,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +422,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -90561,20 +90650,20 @@ index 1f22fba..99dd3a5 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +445,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +444,24 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
 +sysnet_read_config(virtd_t)
  
 -userdom_read_all_users_state(virtd_t)
--
--ifdef(`hide_broken_symptoms',`
--	dontaudit virtd_t self:capability { sys_module sys_ptrace };
--')
 +systemd_dbus_chat_logind(virtd_t)
 +systemd_write_inhibit_pipes(virtd_t)
  
+-ifdef(`hide_broken_symptoms',`
+-	dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+-
 -tunable_policy(`virt_use_fusefs',`
 -	fs_manage_fusefs_dirs(virtd_t)
 -	fs_manage_fusefs_files(virtd_t)
@@ -90596,7 +90685,7 @@ index 1f22fba..99dd3a5 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +471,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +470,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -90605,7 +90694,7 @@ index 1f22fba..99dd3a5 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -658,95 +496,325 @@ optional_policy(`
+@@ -658,95 +495,325 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -90977,7 +91066,7 @@ index 1f22fba..99dd3a5 100644
  
  manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +826,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +825,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91008,7 +91097,7 @@ index 1f22fba..99dd3a5 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +846,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -91035,7 +91124,7 @@ index 1f22fba..99dd3a5 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +866,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -91067,7 +91156,7 @@ index 1f22fba..99dd3a5 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,14 +899,20 @@ optional_policy(`
+@@ -847,14 +898,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -91089,7 +91178,7 @@ index 1f22fba..99dd3a5 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,34 +937,45 @@ optional_policy(`
+@@ -879,34 +936,45 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -91144,7 +91233,7 @@ index 1f22fba..99dd3a5 100644
  
  manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +985,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +984,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
  allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -91162,7 +91251,7 @@ index 1f22fba..99dd3a5 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1007,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1006,8 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -91173,7 +91262,7 @@ index 1f22fba..99dd3a5 100644
  files_relabel_rootfs(virtd_lxc_t)
  files_mounton_non_security(virtd_lxc_t)
  files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1016,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1015,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
  files_list_isid_type_dirs(virtd_lxc_t)
  files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
  
@@ -91181,7 +91270,7 @@ index 1f22fba..99dd3a5 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1028,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1027,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -91200,7 +91289,7 @@ index 1f22fba..99dd3a5 100644
  
  term_use_generic_ptys(virtd_lxc_t)
  term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1042,40 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1041,40 @@ auth_use_nsswitch(virtd_lxc_t)
  
  logging_send_syslog_msg(virtd_lxc_t)
  
@@ -91249,7 +91338,7 @@ index 1f22fba..99dd3a5 100644
  allow svirt_lxc_domain self:fifo_file manage_file_perms;
  allow svirt_lxc_domain self:sem create_sem_perms;
  allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1083,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1082,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
  allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
  allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
  
@@ -91276,7 +91365,7 @@ index 1f22fba..99dd3a5 100644
  
  manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1101,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1100,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91289,13 +91378,14 @@ index 1f22fba..99dd3a5 100644
 -
  kernel_getattr_proc(svirt_lxc_domain)
  kernel_list_all_proc(svirt_lxc_domain)
- kernel_read_kernel_sysctls(svirt_lxc_domain)
+-kernel_read_kernel_sysctls(svirt_lxc_domain)
++kernel_read_all_sysctls(svirt_lxc_domain)
  kernel_rw_net_sysctls(svirt_lxc_domain)
 -kernel_read_system_state(svirt_lxc_domain)
  kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
  
  corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1120,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1119,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
  files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
  files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
  files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91322,7 +91412,7 @@ index 1f22fba..99dd3a5 100644
  auth_dontaudit_read_login_records(svirt_lxc_domain)
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1145,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1144,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
  
  libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
  
@@ -91461,7 +91551,7 @@ index 1f22fba..99dd3a5 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1243,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1242,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -91476,7 +91566,7 @@ index 1f22fba..99dd3a5 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1261,8 @@ optional_policy(`
+@@ -1183,9 +1260,8 @@ optional_policy(`
  
  ########################################
  #
@@ -91487,7 +91577,7 @@ index 1f22fba..99dd3a5 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1275,114 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1274,114 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -94280,7 +94370,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..29d4996 100644
+index 46e4cd3..4dec288 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
@@ -94328,6 +94418,15 @@ index 46e4cd3..29d4996 100644
  ')
  
  ########################################
+@@ -133,7 +129,7 @@ optional_policy(`
+ #
+ 
+ allow zabbix_agent_t self:capability { setuid setgid };
+-allow zabbix_agent_t self:process { setsched getsched signal };
++allow zabbix_agent_t self:process { setpgid setsched getsched signal };
+ allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
+ allow zabbix_agent_t self:sem create_sem_perms;
+ allow zabbix_agent_t self:shm create_shm_perms;
 @@ -182,7 +178,6 @@ domain_search_all_domains_state(zabbix_agent_t)
  files_getattr_all_dirs(zabbix_agent_t)
  files_getattr_all_files(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 07df3ec..c46a931 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 63%{?dist}
+Release: 64%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,19 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jul 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-64
+- Add support for gluster ports
+- Make sure that all keys located in /etc/ssh/ are labeled correctly
+- Make sure apcuspd lock files get created with the correct label
+- Use getcap in gluster.te
+- Fix gluster policy
+- add additional fixes to allow beam.smp to interact with couchdb files
+- Additional fix for #974149
+- Allow gluster to user gluster ports
+- Allow glusterd to transition to rpcd_t and add additional fixes for #980683
+- Allow tgtd working when accessing to the passthrough device
+- Fix labeling for mdadm unit files
+
 * Wed Jul 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-63
 - Add systemd support for mdadm