diff --git a/policy-F16.patch b/policy-F16.patch
index 2f1e6f9..d14ef34 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -11599,7 +11599,7 @@ index c8254dd..340a2d7 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index a57e81e..f9fbc60 100644
+index a57e81e..efa6b13 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -25,6 +25,7 @@ template(`screen_role_template',`
@@ -11665,7 +11665,7 @@ index a57e81e..f9fbc60 100644
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -87,77 +55,22 @@ template(`screen_role_template',`
+@@ -87,77 +55,41 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -11720,11 +11720,11 @@ index a57e81e..f9fbc60 100644
- init_rw_utmp($1_screen_t)
-
- logging_send_syslog_msg($1_screen_t)
--
+
- miscfiles_read_localization($1_screen_t)
-
- seutil_read_config($1_screen_t)
-
+-
- userdom_use_user_terminals($1_screen_t)
- userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
@@ -11743,6 +11743,25 @@ index a57e81e..f9fbc60 100644
- fs_read_nfs_symlinks($1_screen_t)
')
')
++
++######################################
++##
++## Execute the rssh program
++## in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`screen_exec',`
++ gen_require(`
++ type screen_exec_t;
++ ')
++
++ can_exec($1, screen_exec_t)
++')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 553bc73..b3b144c 100644
--- a/policy/modules/apps/screen.te
@@ -50646,10 +50665,10 @@ index 0000000..71d6f47
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..d41f31a
+index 0000000..10019d7
--- /dev/null
+++ b/policy/modules/services/openshift.te
-@@ -0,0 +1,362 @@
+@@ -0,0 +1,370 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -50679,12 +50698,12 @@ index 0000000..d41f31a
+oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t)
+domain_obj_id_change_exemption(openshift_initrc_t)
+
-+type openshift_tmpfs_t;
-+files_tmpfs_file(openshift_tmpfs_t)
-+
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
++type openshift_tmpfs_t;
++files_tmpfs_file(openshift_tmpfs_t)
++
+type openshift_tmp_t, openshift_file_type;
+files_tmp_file(openshift_tmp_t)
+files_mountpoint(openshift_tmp_t)
@@ -50792,6 +50811,7 @@ index 0000000..d41f31a
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
@@ -50821,7 +50841,6 @@ index 0000000..d41f31a
+corecmd_exec_all_executables(openshift_domain)
+
+dev_read_sysfs(openshift_domain)
-+dev_read_urand(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
@@ -50869,6 +50888,7 @@ index 0000000..d41f31a
+libs_exec_ld_so(openshift_domain)
+
+term_use_ptmx(openshift_domain)
++term_use_generic_ptys(openshift_domain)
+
+selinux_validate_context(openshift_domain)
+
@@ -50876,7 +50896,6 @@ index 0000000..d41f31a
+
+init_dontaudit_read_utmp(openshift_domain)
+
-+miscfiles_read_localization(openshift_domain)
+miscfiles_read_fonts(openshift_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
+
@@ -50898,15 +50917,19 @@ index 0000000..d41f31a
+ apache_read_sys_content(openshift_domain)
+ apache_exec_sys_script(openshift_domain)
+ apache_entrypoint(openshift_domain)
++')
+
++optional_policy(`
+ #############################################
+ #
+ # openshift cgi script policy
+ #
+ apache_content_template(openshift)
+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++
+ optional_policy(`
+ dbus_system_bus_client(httpd_openshift_script_t)
++
+ optional_policy(`
+ oddjob_dbus_chat(httpd_openshift_script_t)
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
@@ -50927,6 +50950,10 @@ index 0000000..d41f31a
+')
+
+optional_policy(`
++ screen_exec(openshift_domain)
++')
++
++optional_policy(`
+ ssh_use_ptys(openshift_domain)
+ ssh_getattr_user_home_dir(openshift_domain)
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
@@ -50987,7 +51014,7 @@ index 0000000..d41f31a
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
-+ssh_dontaudit_use_ptys(openshift_cgroup_read_t)
++ssh_use_ptys(openshift_cgroup_read_t)
+
+corecmd_exec_bin(openshift_cgroup_read_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f87e921..0b44950 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 96%{?dist}
+Release: 97%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Nov 15 2012 Miroslav Grepl 3.10.0-97
+- Backport openshift fixes from F18
+
* Tue Nov 13 2012 Miroslav Grepl 3.10.0-96
- httpd needs to send signull to openshift init script
- Allow prelink_cron_system_t to overide user componant when cp -a-