diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index aad50ae..cac1fe2 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -15564,7 +15564,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..d2a0da5 100644
+index 649e458..1debeb2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -15702,10 +15702,29 @@ index 649e458..d2a0da5 100644
')
########################################
-@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',`
########################################
##
++## Do not audit attempts to write the
++## file in /proc.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_write_proc_files',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:file write;
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on generic proc entries.
+##
@@ -15728,7 +15747,7 @@ index 649e458..d2a0da5 100644
## Do not audit attempts by caller to
## read system state information in proc.
##
-@@ -1208,6 +1296,25 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1315,25 @@ interface(`kernel_read_messages',`
########################################
##
@@ -15754,7 +15773,7 @@ index 649e458..d2a0da5 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
##
-@@ -1458,6 +1565,25 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1584,25 @@ interface(`kernel_list_all_proc',`
########################################
##
@@ -15780,7 +15799,7 @@ index 649e458..d2a0da5 100644
## Do not audit attempts to list all proc directories.
##
##
-@@ -1477,6 +1603,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1622,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -15805,7 +15824,7 @@ index 649e458..d2a0da5 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -1672,7 +1816,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1835,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -15814,7 +15833,7 @@ index 649e458..d2a0da5 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1837,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1856,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -15823,7 +15842,7 @@ index 649e458..d2a0da5 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1859,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1878,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -15831,7 +15850,7 @@ index 649e458..d2a0da5 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -2085,9 +2228,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2247,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -15861,7 +15880,7 @@ index 649e458..d2a0da5 100644
########################################
##
## Allow caller to read all sysctls.
-@@ -2282,6 +2444,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2463,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -15887,7 +15906,7 @@ index 649e458..d2a0da5 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2487,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2506,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -15896,7 +15915,7 @@ index 649e458..d2a0da5 100644
##
##
#
-@@ -2488,6 +2669,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2688,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -15921,7 +15940,7 @@ index 649e458..d2a0da5 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2724,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2743,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -15946,7 +15965,7 @@ index 649e458..d2a0da5 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2632,7 +2849,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2868,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -15955,7 +15974,7 @@ index 649e458..d2a0da5 100644
')
########################################
-@@ -2670,6 +2887,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -15980,7 +15999,7 @@ index 649e458..d2a0da5 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2697,6 +2932,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -16006,7 +16025,7 @@ index 649e458..d2a0da5 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2806,6 +3060,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -16040,7 +16059,7 @@ index 649e458..d2a0da5 100644
########################################
##
-@@ -2961,6 +3242,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -16065,7 +16084,7 @@ index 649e458..d2a0da5 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2975,5 +3274,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3293,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index b7300d6..d341865 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -568,7 +568,7 @@ index 058d908..cf17e67 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..b2e7c34 100644
+index cc43d25..db6136e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -756,7 +756,7 @@ index cc43d25..b2e7c34 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +141,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -785,10 +785,11 @@ index cc43d25..b2e7c34 100644
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
++kernel_read_software_raid_state(abrt_t)
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +172,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +173,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -807,7 +808,7 @@ index cc43d25..b2e7c34 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +196,43 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +197,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -854,7 +855,7 @@ index cc43d25..b2e7c34 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +240,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +241,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -871,7 +872,7 @@ index cc43d25..b2e7c34 100644
')
optional_policy(`
-@@ -209,6 +252,20 @@ optional_policy(`
+@@ -209,6 +253,20 @@ optional_policy(`
')
optional_policy(`
@@ -892,7 +893,7 @@ index cc43d25..b2e7c34 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -221,6 +278,11 @@ optional_policy(`
+@@ -221,6 +279,11 @@ optional_policy(`
')
optional_policy(`
@@ -904,7 +905,7 @@ index cc43d25..b2e7c34 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -230,6 +292,7 @@ optional_policy(`
+@@ -230,6 +293,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -912,7 +913,7 @@ index cc43d25..b2e7c34 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +303,17 @@ optional_policy(`
+@@ -240,9 +304,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -931,7 +932,7 @@ index cc43d25..b2e7c34 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +324,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +325,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -946,7 +947,7 @@ index cc43d25..b2e7c34 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +343,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -954,7 +955,7 @@ index cc43d25..b2e7c34 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +352,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -975,7 +976,7 @@ index cc43d25..b2e7c34 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +373,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +374,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1002,7 +1003,7 @@ index cc43d25..b2e7c34 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +409,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1016,7 +1017,7 @@ index cc43d25..b2e7c34 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +427,11 @@ optional_policy(`
+@@ -330,10 +428,11 @@ optional_policy(`
#######################################
#
@@ -1030,7 +1031,7 @@ index cc43d25..b2e7c34 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +450,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +451,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1100,7 +1101,7 @@ index cc43d25..b2e7c34 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +516,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +517,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -10371,10 +10372,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..6e058fc
+index 0000000..cc9002e
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,66 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10410,6 +10411,7 @@ index 0000000..6e058fc
+
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_dontaudit_write_proc_files(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
@@ -40664,7 +40666,7 @@ index db87831..30bfb76 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.fc b/logrotate.fc
-index a11d5be..36c8de7 100644
+index a11d5be..4cf59d3 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,6 +1,9 @@
@@ -40677,7 +40679,7 @@ index a11d5be..36c8de7 100644
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+', `
-+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
++/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+')
diff --git a/logrotate.if b/logrotate.if
index dd8e01a..9cd6b0b 100644
@@ -44762,7 +44764,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..6af07aa 100644
+index cb4c13d..25f2cfe 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -1,4 +1,4 @@
@@ -44781,7 +44783,13 @@ index cb4c13d..6af07aa 100644
########################################
#
# Local policy
-@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+ allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
+ allow modemmanager_t self:process { getsched signal };
+ allow modemmanager_t self:fifo_file rw_fifo_file_perms;
+-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
++allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms};
+ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
kernel_read_system_state(modemmanager_t)
@@ -71270,7 +71278,7 @@ index fa3dc8e..99cfa95 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index e31bbe1..5f0e288 100644
+index e31bbe1..28e206e 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -1,4 +1,4 @@
@@ -71371,7 +71379,7 @@ index e31bbe1..5f0e288 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -85,60 +70,51 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,60 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
@@ -71423,10 +71431,12 @@ index e31bbe1..5f0e288 100644
logging_send_syslog_msg(pulseaudio_t)
-miscfiles_read_localization(pulseaudio_t)
--
--userdom_search_user_home_dirs(pulseaudio_t)
--userdom_write_user_tmp_sockets(pulseaudio_t)
--
+
+ userdom_search_user_home_dirs(pulseaudio_t)
+ userdom_write_user_tmp_sockets(pulseaudio_t)
++userdom_manage_user_tmp_files(pulseaudio_t)
++userdom_execute_user_tmp_files(pulseaudio_t)
+
tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs(pulseaudio_t)
+ fs_mounton_nfs(pulseaudio_t)
@@ -71448,7 +71458,7 @@ index e31bbe1..5f0e288 100644
')
optional_policy(`
-@@ -151,8 +127,9 @@ optional_policy(`
+@@ -151,8 +133,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@@ -71460,7 +71470,7 @@ index e31bbe1..5f0e288 100644
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
-@@ -172,16 +149,33 @@ optional_policy(`
+@@ -172,29 +155,49 @@ optional_policy(`
')
optional_policy(`
@@ -71494,7 +71504,12 @@ index e31bbe1..5f0e288 100644
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
-@@ -194,7 +188,11 @@ optional_policy(`
+
+ optional_policy(`
+ xserver_stream_connect(pulseaudio_t)
+- xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -71507,7 +71522,7 @@ index e31bbe1..5f0e288 100644
#
# Client local policy
#
-@@ -208,8 +206,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -208,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
@@ -71516,7 +71531,7 @@ index e31bbe1..5f0e288 100644
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
-@@ -218,36 +214,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -218,36 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
@@ -75704,7 +75719,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..a904ad9 100644
+index 3698b51..a844a8f 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0)
@@ -75738,7 +75753,7 @@ index 3698b51..a904ad9 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,80 +31,82 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,80 +31,86 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -75832,49 +75847,52 @@ index 3698b51..a904ad9 100644
+domain_read_all_domains_state(rabbitmq_t)
-miscfiles_read_localization(rabbitmq_beam_t)
--
++auth_read_passwd(rabbitmq_t)
++auth_use_pam(rabbitmq_t)
+
-sysnet_dns_name_resolve(rabbitmq_beam_t)
-
-########################################
-#
-# Epmd local policy
-#
-+auth_read_passwd(rabbitmq_t)
-+auth_use_pam(rabbitmq_t)
-
+files_getattr_all_mountpoints(rabbitmq_t)
--allow rabbitmq_epmd_t self:process signal;
--allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
--allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
--allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+fs_getattr_all_fs(rabbitmq_t)
+fs_getattr_all_dirs(rabbitmq_t)
+fs_getattr_cgroup(rabbitmq_t)
+fs_search_cgroup_dirs(rabbitmq_t)
--allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+-allow rabbitmq_epmd_t self:process signal;
+-allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
+-allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
+-allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+dev_read_sysfs(rabbitmq_t)
+dev_read_urand(rabbitmq_t)
+-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
++storage_getattr_fixed_disk_dev(rabbitmq_t)
+
-corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
-corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t)
-corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
-+storage_getattr_fixed_disk_dev(rabbitmq_t)
++sysnet_dns_name_resolve(rabbitmq_t)
-corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
-corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
-+sysnet_dns_name_resolve(rabbitmq_t)
++logging_send_syslog_msg(rabbitmq_t)
-files_read_etc_files(rabbitmq_epmd_t)
-+logging_send_syslog_msg(rabbitmq_t)
++optional_policy(`
++ dbus_system_bus_client(rabbitmq_t)
++')
-logging_send_syslog_msg(rabbitmq_epmd_t)
+optional_policy(`
-+ dbus_system_bus_client(rabbitmq_t)
++ rpc_read_nfs_state_data(rabbitmq_t)
+')
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 498731d..f8d4d1c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 192%{?dist}
+Release: 193%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Nov 03 2014 Lukas Vrabec 3.12.1-193
+- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
+- xserver_manage_xdm_tmp_files is depracated and replaced with userdom_manage_user_tmp_files
+- Allow abrt to read software raid state. BZ (1157770)
+- Allow rabbitmq to read nfs state data. BZ(1122412)
+- Allow modemmanger to connectto itself
+
* Tue Oct 21 2014 Lukas Vrabec 3.12.1-192
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Add fowner cap in usbmuxd_t BZ (1152662)