diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index e81ace6..20d3191 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -19267,16 +19267,17 @@ index 156c333..02f5a3c 100644
+ dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..22c9cfe 100644
+index 7d45d15..a3e5a1e 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,12 @@
+@@ -14,11 +14,13 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
@@ -19284,7 +19285,7 @@ index 7d45d15..22c9cfe 100644
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +43,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -19293,7 +19294,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..5bbf50b 100644
+index 771bce1..e3722ab 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -19520,7 +19521,33 @@ index 771bce1..5bbf50b 100644
##
##
#
-@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',`
+
+ ########################################
+ ##
++## Mounton unallocated tty device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_mounton_unallocated_ttys',`
++ gen_require(`
++ type tty_device_t;
++ ')
++
++ allow $1 tty_device_t:chr_file mounton;
++')
++
++########################################
++##
+ ## Relabel from all user tty types to
+ ## the unallocated tty type.
+ ##
+@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -19569,7 +19596,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -19583,7 +19610,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -19596,7 +19623,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -19625,7 +19652,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -19634,7 +19661,7 @@ index 771bce1..5bbf50b 100644
')
########################################
-@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',`
##
##
##
@@ -19643,7 +19670,7 @@ index 771bce1..5bbf50b 100644
##
##
#
-@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1712,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -24565,7 +24592,7 @@ index d1f64a0..8773437 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..115c533 100644
+index 6bf0ecc..0d55916 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -25549,7 +25576,7 @@ index 6bf0ecc..115c533 100644
')
########################################
-@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -26176,6 +26203,25 @@ index 6bf0ecc..115c533 100644
+
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
++
++########################################
++##
++## Manage keys for xdm.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_rw_xdm_keys',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:key { read write };
++')
++
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2696452..a2c6981 100644
--- a/policy/modules/services/xserver.te
@@ -28724,7 +28770,7 @@ index 3efd5b6..08c3e93 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..a2e2fcf 100644
+index 104037e..dde9309 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -29036,7 +29082,7 @@ index 104037e..a2e2fcf 100644
')
optional_policy(`
-@@ -463,3 +508,134 @@ optional_policy(`
+@@ -463,3 +508,135 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -29052,6 +29098,7 @@ index 104037e..a2e2fcf 100644
+
+allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
+allow login_pgm self:capability ipc_lock;
++dontaudit login_pgm self:capability net_admin;
+allow login_pgm self:process setkeycreate;
+allow login_pgm self:key manage_key_perms;
+userdom_manage_all_users_keys(login_pgm)
@@ -29365,7 +29412,7 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..f512b72 100644
+index 6c4b6ee..9eebe0b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -29378,7 +29425,15 @@ index 6c4b6ee..f512b72 100644
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
-@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
+@@ -26,6 +29,7 @@ files_type(swapfile_t)
+
+ # ipc_lock is for losetup
+ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
++dontaudit fsadm_t self:capability net_admin;
+ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+ allow fsadm_t self:fd use;
+ allow fsadm_t self:fifo_file rw_fifo_file_perms;
+@@ -41,9 +45,15 @@ allow fsadm_t self:msg { send receive };
can_exec(fsadm_t, fsadm_exec_t)
@@ -29394,7 +29449,7 @@ index 6c4b6ee..f512b72 100644
# log files
allow fsadm_t fsadm_log_t:dir setattr;
-@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+@@ -53,6 +63,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -29402,7 +29457,7 @@ index 6c4b6ee..f512b72 100644
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
-@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +112,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@@ -29411,7 +29466,7 @@ index 6c4b6ee..f512b72 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +133,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -29421,7 +29476,7 @@ index 6c4b6ee..f512b72 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +149,27 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -29451,7 +29506,7 @@ index 6c4b6ee..f512b72 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +187,11 @@ optional_policy(`
+@@ -166,6 +188,11 @@ optional_policy(`
')
optional_policy(`
@@ -29463,7 +29518,7 @@ index 6c4b6ee..f512b72 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -179,6 +205,10 @@ optional_policy(`
+@@ -179,6 +206,10 @@ optional_policy(`
')
optional_policy(`
@@ -29474,7 +29529,7 @@ index 6c4b6ee..f512b72 100644
nis_use_ypbind(fsadm_t)
')
-@@ -192,6 +222,10 @@ optional_policy(`
+@@ -192,6 +223,10 @@ optional_policy(`
')
optional_policy(`
@@ -31279,7 +31334,7 @@ index 24e7804..50a981b 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..28c790f 100644
+index dd3be8d..c207a0a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31461,11 +31516,12 @@ index dd3be8d..28c790f 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +220,21 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
+domain_read_all_domains_state(init_t)
++domain_getattr_all_domains(init_t)
files_read_etc_files(init_t)
+files_read_all_pids(init_t)
@@ -31483,7 +31539,7 @@ index dd3be8d..28c790f 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +244,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +245,52 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -31539,7 +31595,7 @@ index dd3be8d..28c790f 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +298,225 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +299,225 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -31773,7 +31829,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -216,7 +524,30 @@ optional_policy(`
+@@ -216,7 +525,30 @@ optional_policy(`
')
optional_policy(`
@@ -31804,7 +31860,7 @@ index dd3be8d..28c790f 100644
')
########################################
-@@ -225,8 +556,9 @@ optional_policy(`
+@@ -225,8 +557,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -31816,7 +31872,7 @@ index dd3be8d..28c790f 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +589,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +590,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -31833,7 +31889,7 @@ index dd3be8d..28c790f 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +614,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +615,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -31876,7 +31932,7 @@ index dd3be8d..28c790f 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +651,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +652,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -31888,7 +31944,7 @@ index dd3be8d..28c790f 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +663,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +664,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -31899,7 +31955,7 @@ index dd3be8d..28c790f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +674,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +675,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -31909,7 +31965,7 @@ index dd3be8d..28c790f 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +683,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +684,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -31917,7 +31973,7 @@ index dd3be8d..28c790f 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +690,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +691,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -31925,7 +31981,7 @@ index dd3be8d..28c790f 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +698,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +699,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -31943,7 +31999,7 @@ index dd3be8d..28c790f 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +716,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +717,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -31957,7 +32013,7 @@ index dd3be8d..28c790f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +731,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +732,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -31971,7 +32027,7 @@ index dd3be8d..28c790f 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +744,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +745,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -31979,7 +32035,7 @@ index dd3be8d..28c790f 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +756,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +757,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -31987,7 +32043,7 @@ index dd3be8d..28c790f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +775,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +776,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -32011,7 +32067,7 @@ index dd3be8d..28c790f 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +808,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +809,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -32019,7 +32075,7 @@ index dd3be8d..28c790f 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +842,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +843,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -32030,7 +32086,7 @@ index dd3be8d..28c790f 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +866,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +867,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -32039,7 +32095,7 @@ index dd3be8d..28c790f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +881,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +882,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -32047,7 +32103,7 @@ index dd3be8d..28c790f 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +902,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +903,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -32055,7 +32111,7 @@ index dd3be8d..28c790f 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +912,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +913,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -32100,7 +32156,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -558,14 +957,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +958,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -32132,7 +32188,7 @@ index dd3be8d..28c790f 100644
')
')
-@@ -576,6 +992,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +993,39 @@ ifdef(`distro_suse',`
')
')
@@ -32172,7 +32228,7 @@ index dd3be8d..28c790f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1037,8 @@ optional_policy(`
+@@ -588,6 +1038,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -32181,7 +32237,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -609,6 +1060,7 @@ optional_policy(`
+@@ -609,6 +1061,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -32189,7 +32245,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -625,6 +1077,17 @@ optional_policy(`
+@@ -625,6 +1078,17 @@ optional_policy(`
')
optional_policy(`
@@ -32207,7 +32263,7 @@ index dd3be8d..28c790f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1104,13 @@ optional_policy(`
+@@ -641,9 +1105,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -32221,7 +32277,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -656,15 +1123,11 @@ optional_policy(`
+@@ -656,15 +1124,11 @@ optional_policy(`
')
optional_policy(`
@@ -32239,7 +32295,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -685,6 +1148,15 @@ optional_policy(`
+@@ -685,6 +1149,15 @@ optional_policy(`
')
optional_policy(`
@@ -32255,7 +32311,7 @@ index dd3be8d..28c790f 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1197,7 @@ optional_policy(`
+@@ -725,6 +1198,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -32263,7 +32319,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -742,7 +1215,13 @@ optional_policy(`
+@@ -742,7 +1216,13 @@ optional_policy(`
')
optional_policy(`
@@ -32278,7 +32334,7 @@ index dd3be8d..28c790f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1244,10 @@ optional_policy(`
+@@ -765,6 +1245,10 @@ optional_policy(`
')
optional_policy(`
@@ -32289,7 +32345,7 @@ index dd3be8d..28c790f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1257,20 @@ optional_policy(`
+@@ -774,10 +1258,20 @@ optional_policy(`
')
optional_policy(`
@@ -32310,7 +32366,7 @@ index dd3be8d..28c790f 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1279,10 @@ optional_policy(`
+@@ -786,6 +1280,10 @@ optional_policy(`
')
optional_policy(`
@@ -32321,7 +32377,7 @@ index dd3be8d..28c790f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1304,6 @@ optional_policy(`
+@@ -807,8 +1305,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -32330,7 +32386,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -817,6 +1312,10 @@ optional_policy(`
+@@ -817,6 +1313,10 @@ optional_policy(`
')
optional_policy(`
@@ -32341,7 +32397,7 @@ index dd3be8d..28c790f 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1325,12 @@ optional_policy(`
+@@ -826,10 +1326,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -32354,7 +32410,7 @@ index dd3be8d..28c790f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1357,35 @@ optional_policy(`
+@@ -856,12 +1358,35 @@ optional_policy(`
')
optional_policy(`
@@ -32391,7 +32447,7 @@ index dd3be8d..28c790f 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1395,18 @@ optional_policy(`
+@@ -871,6 +1396,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -32410,7 +32466,7 @@ index dd3be8d..28c790f 100644
')
optional_policy(`
-@@ -886,6 +1422,10 @@ optional_policy(`
+@@ -886,6 +1423,10 @@ optional_policy(`
')
optional_policy(`
@@ -32421,7 +32477,7 @@ index dd3be8d..28c790f 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1436,218 @@ optional_policy(`
+@@ -896,3 +1437,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -32641,7 +32697,7 @@ index dd3be8d..28c790f 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..05d25b0 100644
+index 662e79b..08589f8 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,23 @@
@@ -32669,10 +32725,11 @@ index 662e79b..05d25b0 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +35,23 @@
+@@ -26,16 +35,24 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -33173,10 +33230,10 @@ index 9e54bf9..7ca1e9e 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 1b93eb7..b2532aa 100644
+index 1b93eb7..957deb0 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,21 +1,27 @@
+@@ -1,21 +1,32 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -33185,6 +33242,9 @@ index 1b93eb7..b2532aa 100644
+
+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -33195,6 +33255,7 @@ index 1b93eb7..b2532aa 100644
+/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -33210,6 +33271,7 @@ index 1b93eb7..b2532aa 100644
+/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -34074,7 +34136,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..4f4ee1d 100644
+index c04ac46..7b55414 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -34198,7 +34260,15 @@ index c04ac46..4f4ee1d 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -202,7 +198,7 @@ optional_policy(`
+@@ -195,6 +191,7 @@ optional_policy(`
+ optional_policy(`
+ xserver_read_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_tmp_files(local_login_t)
++ xserver_rw_xdm_keys(local_login_t)
+ ')
+
+ #################################
+@@ -202,7 +199,7 @@ optional_policy(`
# Sulogin local policy
#
@@ -34207,7 +34277,7 @@ index c04ac46..4f4ee1d 100644
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;
-@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,18 +212,27 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -34235,7 +34305,7 @@ index c04ac46..4f4ee1d 100644
logging_send_syslog_msg(sulogin_t)
-@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
@@ -34266,7 +34336,7 @@ index c04ac46..4f4ee1d 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +273,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -36152,7 +36222,7 @@ index 9933677..ca14c17 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..28cb8a3 100644
+index 7449974..23bbbf2 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -36209,7 +36279,32 @@ index 7449974..28cb8a3 100644
## Read the configuration options used when
## loading modules.
##
-@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',`
+@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+
+ ########################################
+ ##
++## Allow send signal to insmod.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`modutils_signal_insmod',`
++ gen_require(`
++ type insmod_t;
++ ')
++
++ allow $1 insmod_t:process signal;
++')
++
++########################################
++##
+ ## Execute insmod in the insmod domain, and
+ ## allow the specified role the insmod domain,
+ ## and use the caller's terminal. Has a sigchld
+@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
can_exec($1, insmod_exec_t)
')
@@ -36234,7 +36329,7 @@ index 7449974..28cb8a3 100644
########################################
##
## Execute depmod in the depmod domain.
-@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -36255,7 +36350,7 @@ index 7449974..28cb8a3 100644
')
########################################
-@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -41224,10 +41319,10 @@ index 0000000..8bca1d7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..8376f43
+index 0000000..435ce0f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,633 @@
+@@ -0,0 +1,634 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41311,6 +41406,7 @@ index 0000000..8376f43
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
++allow systemd_logind_t self:capability2 block_suspend;
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -41338,7 +41434,7 @@ index 0000000..8376f43
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
-+dev_rw_inherited_dri(systemd_logind_t)
++dev_rw_dri(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
@@ -41392,7 +41488,6 @@ index 0000000..8376f43
+init_dbus_chat(systemd_logind_t)
+init_dbus_chat_script(systemd_logind_t)
+init_read_script_state(systemd_logind_t)
-+init_read_state(systemd_logind_t)
+init_rw_stream_sockets(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
@@ -41717,7 +41812,6 @@ index 0000000..8376f43
+dev_read_sysfs(systemd_hostnamed_t)
+
+init_status(systemd_hostnamed_t)
-+init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
@@ -41849,6 +41943,7 @@ index 0000000..8376f43
+init_stop_transient_unit(systemd_domain)
+init_status_transient_unit(systemd_domain)
+init_reload_transient_unit(systemd_domain)
++init_read_state(systemd_domain)
+
+logging_stream_connect_syslog(systemd_domain)
+
@@ -41861,6 +41956,7 @@ index 0000000..8376f43
+
+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
++
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
@@ -47785,7 +47881,7 @@ index 3c5dba7..519b132 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..066ae4d 100644
+index e2b538b..252a7aa 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -47874,7 +47970,7 @@ index e2b538b..066ae4d 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,379 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,380 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -47934,6 +48030,7 @@ index e2b538b..066ae4d 100644
+
+allow userdomain userdomain:process signull;
+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
++dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
+
+# Nautilus causes this avc
+domain_dontaudit_access_check(unpriv_userdomain)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 9e1d01a..eb48e3c 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..2ed712d 100644
+index e4f84de..44e709c 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,42 @@
+@@ -1,30 +1,43 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -46,6 +46,7 @@ index e4f84de..2ed712d 100644
-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
@@ -68,7 +69,7 @@ index e4f84de..2ed712d 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..10edac5 100644
+index 058d908..a65b9d7 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -373,7 +374,7 @@ index 058d908..10edac5 100644
##
##
##
-@@ -288,39 +425,172 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +425,173 @@ interface(`abrt_manage_pid_files',`
##
##
##
@@ -556,6 +557,7 @@ index 058d908..10edac5 100644
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
@@ -3071,10 +3073,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..908ec3b 100644
+index 550a69e..d75de2b 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,207 @@
+@@ -1,161 +1,211 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3119,6 +3121,7 @@ index 550a69e..908ec3b 100644
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3191,6 +3194,7 @@ index 550a69e..908ec3b 100644
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3325,6 +3329,7 @@ index 550a69e..908ec3b 100644
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
@@ -3342,6 +3347,7 @@ index 550a69e..908ec3b 100644
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
@@ -10045,10 +10051,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..e49e117
+index 0000000..6e058fc
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,65 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10096,6 +10102,7 @@ index 0000000..e49e117
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
++modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
@@ -10711,7 +10718,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..8b373e6 100644
+index 2354e21..5d02854 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10748,7 +10755,7 @@ index 2354e21..8b373e6 100644
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,23 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -10771,18 +10778,20 @@ index 2354e21..8b373e6 100644
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
++files_list_home(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +83,17 @@ init_getattr_all_script_files(certmonger_t)
+
+@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
-miscfiles_read_localization(certmonger_t)
miscfiles_manage_generic_cert_files(certmonger_t)
--userdom_search_user_home_content(certmonger_t)
+systemd_exec_systemctl(certmonger_t)
+
+ userdom_search_user_home_content(certmonger_t)
+userdom_manage_home_certs(certmonger_t)
optional_policy(`
@@ -10794,7 +10803,7 @@ index 2354e21..8b373e6 100644
')
optional_policy(`
-@@ -92,11 +106,47 @@ optional_policy(`
+@@ -92,11 +108,47 @@ optional_policy(`
')
optional_policy(`
@@ -16387,7 +16396,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..3fcc236 100644
+index 28e1b86..439a761 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -16591,7 +16600,7 @@ index 28e1b86..3fcc236 100644
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
-@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +143,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
@@ -16607,7 +16616,9 @@ index 28e1b86..3fcc236 100644
#
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
+-dontaudit crond_t self:capability { sys_resource sys_tty_config };
++dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
+ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -18038,7 +18049,7 @@ index 06da9a0..c7834c8 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..ae75cc4 100644
+index 9f34c2e..f3aaaed 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -18171,7 +18182,7 @@ index 9f34c2e..ae75cc4 100644
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
@@ -23274,10 +23285,10 @@ index 0000000..cc6846a
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..7de0c90
+index 0000000..c93feb8
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,241 @@
+@@ -0,0 +1,244 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23485,6 +23496,7 @@ index 0000000..7de0c90
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
+term_relabel_pty_fs(docker_t)
++term_mounton_unallocated_ttys(docker_t)
+
+modutils_domtrans_insmod(docker_t)
+
@@ -23510,9 +23522,11 @@ index 0000000..7de0c90
+ virt_mounton_sandbox_file(docker_t)
+')
+
-+tunable_policy(`docker_transition_unconfined',`
-+ unconfined_transition(docker_t, docker_share_t)
-+ unconfined_transition(docker_t, docker_var_lib_t)
++optional_policy(`
++ tunable_policy(`docker_transition_unconfined',`
++ unconfined_transition(docker_t, docker_share_t)
++ unconfined_transition(docker_t, docker_var_lib_t)
++ ')
+')
+
+optional_policy(`
@@ -26237,7 +26251,7 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..6f2c7b8 100644
+index c81b6e8..ed04b9e 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
@@ -26267,7 +26281,7 @@ index c81b6e8..6f2c7b8 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +55,13 @@ optional_policy(`
+@@ -54,8 +55,17 @@ optional_policy(`
')
')
@@ -26280,6 +26294,10 @@ index c81b6e8..6f2c7b8 100644
+')
+
+optional_policy(`
++ udev_read_db(fprintd_t)
++')
++
++optional_policy(`
+ xserver_read_state_xdm(fprintd_t)
')
diff --git a/freeipmi.fc b/freeipmi.fc
@@ -32669,10 +32687,10 @@ index 0000000..9278f85
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..deb738f
+index 0000000..70c67d3
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,38 @@
+## Policy for IPA services.
+
+########################################
@@ -32694,6 +32712,23 @@ index 0000000..deb738f
+ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
+')
+
++########################################
++##
++## Connect to ipa-otpd over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipa_stream_connect_otpd',`
++ gen_require(`
++ type ipa_otpd_t;
++ ')
++ allow $1 ipa_otpd_t:unix_stream_socket connectto;
++')
++
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..0fd2678
@@ -36004,7 +36039,7 @@ index f9de9fc..11504e6 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..cf08ae1 100644
+index 3465a9a..2b1dc23 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
@@ -36216,7 +36251,7 @@ index 3465a9a..cf08ae1 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -201,56 +230,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+@@ -201,71 +230,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
@@ -36287,7 +36322,14 @@ index 3465a9a..cf08ae1 100644
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +291,11 @@ optional_policy(`
+ userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+ optional_policy(`
++ ipa_stream_connect_otpd(krb5kdc_t)
++')
++
++optional_policy(`
+ ldap_stream_connect(krb5kdc_t)
')
optional_policy(`
@@ -36301,7 +36343,7 @@ index 3465a9a..cf08ae1 100644
')
optional_policy(`
-@@ -273,6 +303,10 @@ optional_policy(`
+@@ -273,6 +307,10 @@ optional_policy(`
')
optional_policy(`
@@ -36312,7 +36354,7 @@ index 3465a9a..cf08ae1 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +315,12 @@ optional_policy(`
+@@ -281,10 +319,12 @@ optional_policy(`
# kpropd local policy
#
@@ -36328,7 +36370,7 @@ index 3465a9a..cf08ae1 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,26 +339,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +343,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -37758,7 +37800,7 @@ index ee0c7cc..4ac8f2d 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index d7d9b09..523cf1b 100644
+index d7d9b09..d0fdb7c 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -37780,7 +37822,18 @@ index d7d9b09..523cf1b 100644
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:tcp_socket { accept listen };
-@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -64,9 +67,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+
+ manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+ logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
+ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -88,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -37788,7 +37841,7 @@ index d7d9b09..523cf1b 100644
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -110,25 +110,23 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
@@ -38806,7 +38859,7 @@ index 2fb9b2e..08974e3 100644
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
-index 6256371..7826e38 100644
+index 6256371..ce2acb8 100644
--- a/lpd.if
+++ b/lpd.if
@@ -1,44 +1,49 @@
@@ -38931,7 +38984,12 @@ index 6256371..7826e38 100644
##
##
##
-@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
+@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
+ manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ manage_files_pattern($1, print_spool_t, print_spool_t)
+ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
++ manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
+ ')
########################################
##
@@ -38940,7 +38998,7 @@ index 6256371..7826e38 100644
##
##
##
-@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
+@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
########################################
##
@@ -38949,7 +39007,7 @@ index 6256371..7826e38 100644
##
##
##
-@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
+@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
##
##
#
@@ -38963,7 +39021,7 @@ index 6256371..7826e38 100644
domtrans_pattern($1, lpr_exec_t, lpr_t)
')
-@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
+@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
########################################
##
@@ -38973,7 +39031,7 @@ index 6256371..7826e38 100644
##
##
##
-@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
+@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
type lpr_exec_t;
')
@@ -43729,7 +43787,7 @@ index 6194b80..03c6414 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..405e285 100644
+index 6a306ee..bf0f92d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -44189,7 +44247,7 @@ index 6a306ee..405e285 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
++allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -47254,10 +47312,10 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..3549b8f 100644
+index 97370e4..bd217aa 100644
--- a/munin.te
+++ b/munin.te
-@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+@@ -37,44 +37,47 @@ munin_plugin_template(disk)
munin_plugin_template(mail)
munin_plugin_template(selinux)
munin_plugin_template(services)
@@ -47281,7 +47339,14 @@ index 97370e4..3549b8f 100644
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+
+ read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+
++allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
++
+ allow munin_plugin_domain munin_exec_t:file read_file_perms;
+
+ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
@@ -47306,7 +47371,7 @@ index 97370e4..3549b8f 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -47315,7 +47380,7 @@ index 97370e4..3549b8f 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -47323,7 +47388,7 @@ index 97370e4..3549b8f 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +155,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -47331,7 +47396,7 @@ index 97370e4..3549b8f 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +166,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -47339,7 +47404,7 @@ index 97370e4..3549b8f 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -47353,7 +47418,7 @@ index 97370e4..3549b8f 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +204,6 @@ optional_policy(`
+@@ -213,7 +206,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -47361,7 +47426,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -47389,7 +47454,7 @@ index 97370e4..3549b8f 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -268,6 +260,10 @@ optional_policy(`
+@@ -268,6 +262,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -47400,7 +47465,7 @@ index 97370e4..3549b8f 100644
####################################
#
# Mail local policy
-@@ -275,27 +271,36 @@ optional_policy(`
+@@ -275,27 +273,36 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -47441,7 +47506,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -320,6 +327,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -47451,7 +47516,7 @@ index 97370e4..3549b8f 100644
corenet_sendrecv_all_client_packets(services_munin_plugin_t)
corenet_tcp_connect_all_ports(services_munin_plugin_t)
corenet_tcp_connect_http_port(services_munin_plugin_t)
-@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -331,7 +341,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -47460,7 +47525,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -353,7 +361,11 @@ optional_policy(`
+@@ -353,7 +363,11 @@ optional_policy(`
')
optional_policy(`
@@ -47473,7 +47538,7 @@ index 97370e4..3549b8f 100644
')
optional_policy(`
-@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +399,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -47481,7 +47546,7 @@ index 97370e4..3549b8f 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +426,31 @@ optional_policy(`
+@@ -413,3 +428,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -49610,7 +49675,7 @@ index a1fb3c3..dfb99d2 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..647712a 100644
+index 0e8508c..9a7332c 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -49690,28 +49755,10 @@ index 0e8508c..647712a 100644
##
##
##
-@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
+@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
+ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+ ')
- ########################################
- ##
--## Execute networkmanager scripts with
--## an automatic domain transition to initrc.
-+## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
- ##
- ##
- ##
-@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
- ##
- ##
- #
-+interface(`networkmanager_NetworkManagerrc_domtrans',`
-+ gen_require(`
-+ type NetworkManager_NetworkManagerrc_exec_t;
-+ ')
-+
-+ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
-+')
-+
+#######################################
+##
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
@@ -49722,7 +49769,7 @@ index 0e8508c..647712a 100644
+##
+##
+#
- interface(`networkmanager_initrc_domtrans',`
++interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
@@ -49730,16 +49777,19 @@ index 0e8508c..647712a 100644
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
-+########################################
-+##
+ ########################################
+ ##
+-## Execute networkmanager scripts with
+-## an automatic domain transition to initrc.
+## Execute NetworkManager server in the NetworkManager domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',`
+ ##
+ ##
+ #
+-interface(`networkmanager_initrc_domtrans',`
+interface(`networkmanager_systemctl',`
gen_require(`
- type NetworkManager_initrc_exec_t;
@@ -49763,7 +49813,7 @@ index 0e8508c..647712a 100644
##
##
##
-@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
########################################
##
@@ -49794,7 +49844,7 @@ index 0e8508c..647712a 100644
##
##
##
-@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
########################################
##
@@ -49803,7 +49853,7 @@ index 0e8508c..647712a 100644
##
##
##
-@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -49833,7 +49883,7 @@ index 0e8508c..647712a 100644
##
##
##
-@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
##
##
#
@@ -49854,11 +49904,11 @@ index 0e8508c..647712a 100644
########################################
##
-## Read networkmanager pid files.
-+## Read NetworkManager PID files.
++## Manage NetworkManager PID files.
##
##
##
-@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
+@@ -201,25 +266,44 @@ interface(`networkmanager_append_log_files',`
##
##
#
@@ -49877,17 +49927,37 @@ index 0e8508c..647712a 100644
##
-## All of the rules required to
-## administrate an networkmanager environment.
-+## Execute NetworkManager in the NetworkManager domain, and
-+## allow the specified role the NetworkManager domain.
++## Delete NetworkManager PID files.
##
##
##
--## Domain allowed access.
-+## Domain allowed to transition.
+ ## Domain allowed access.
##
##
++#
++interface(`networkmanager_delete_pid_files',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++')
++
++########################################
++##
++## Execute NetworkManager in the NetworkManager domain, and
++## allow the specified role the NetworkManager domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
##
-@@ -227,33 +310,152 @@ interface(`networkmanager_read_pid_files',`
+ ##
+ ## Role allowed access.
+@@ -227,33 +311,152 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -51654,7 +51724,7 @@ index ba64485..429bd79 100644
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 8f2ab09..6ab4ea1 100644
+index 8f2ab09..bc2c7fe 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
@@ -51810,7 +51880,7 @@ index 8f2ab09..6ab4ea1 100644
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
-+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
++ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
@@ -77916,7 +77986,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..36fb74e 100644
+index 1cedd70..b23c97a 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -77937,11 +78007,12 @@ index 1cedd70..36fb74e 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,21 +51,44 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,21 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
+corenet_tcp_connect_http_port(rhsmcertd_t)
++corenet_tcp_connect_squid_port(rhsmcertd_t)
+
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
@@ -80491,7 +80562,7 @@ index 0628d50..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..be4fc7f 100644
+index 5cbe81c..a461faa 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -80896,7 +80967,7 @@ index 5cbe81c..be4fc7f 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +385,70 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,71 @@ ifdef(`distro_redhat',`
')
')
@@ -80935,6 +81006,7 @@ index 5cbe81c..be4fc7f 100644
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
+ systemd_dbus_chat_timedated(rpm_script_t)
++ systemd_dbus_chat_localed(rpm_script_t)
+ ')
+')
+
@@ -80977,7 +81049,7 @@ index 5cbe81c..be4fc7f 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +460,6 @@ optional_policy(`
+@@ -409,6 +461,6 @@ optional_policy(`
')
optional_policy(`
@@ -102407,7 +102479,7 @@ index 7a7f342..afedcba 100644
##
##
diff --git a/vpn.te b/vpn.te
-index 9329eae..824e86f 100644
+index 9329eae..992aefb 100644
--- a/vpn.te
+++ b/vpn.te
@@ -1,4 +1,4 @@
@@ -102517,14 +102589,16 @@ index 9329eae..824e86f 100644
optional_policy(`
dbus_system_bus_client(vpnc_t)
-@@ -125,7 +122,3 @@ optional_policy(`
+@@ -124,8 +121,5 @@ optional_policy(`
+
optional_policy(`
networkmanager_attach_tun_iface(vpnc_t)
- ')
+-')
-
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
--')
++ networkmanager_delete_pid_files(vpnc_t)
+ ')
diff --git a/w3c.te b/w3c.te
index bcb76b6..d3cf4a8 100644
--- a/w3c.te
@@ -106142,7 +106216,7 @@ index 0000000..8c61505
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
-index 0000000..e0604c7
+index 0000000..fb0519e
--- /dev/null
+++ b/zoneminder.if
@@ -0,0 +1,374 @@
@@ -106355,7 +106429,7 @@ index 0000000..e0604c7
+#
+interface(`zoneminder_manage_lib_sock_files',`
+ gen_require(`
-+ type zoneminder_sock_var_lib_t;
++ type zoneminder_var_lib_t;
+ ')
+ files_search_var_lib($1)
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c1e89f..730debe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 128%{?dist}
+Release: 129%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 3 2014 Miroslav Grepl 3.12.1-129
+- Allow block_suspend cap2 for systemd-logind and rw dri device
+- Add labeling for /usr/libexec/nm-libreswan-service
+- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working
+- Add xserver_rw_xdm_keys()
+- Allow rpm_script_t to dbus chat also with systemd-located
+- Fix ipa_stream_connect_otpd()
+- update lpd_manage_spool() interface
+- Allow krb5kdc to stream connect to ipa-otpd
+- Add ipa_stream_connect_otpd() interface
+- Allow vpnc to unlink NM pids
+- Add networkmanager_delete_pid_files()
+- Allow munin plugins to access unconfined plugins
+- update abrt_filetrans_named_content to cover /var/spool/debug
+- Label /var/spool/debug as abrt_var_cache_t
+- Allow rhsmcertd to connect to squid port
+- Make docker_transition_unconfined as optional boolean
+- Allow certmonger to list home dirs
+
* Wed Feb 26 2014 Miroslav Grepl 3.12.1-128
- Make snapperd as unconfined domain and add additional fixes for it
- Remove nsplugin.pp module on upgrade