diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 8b246ba..9efc54b 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -10949,7 +10949,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..9a5e1fd 100644
+index 2354e21..cc0fe4f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -11013,8 +11013,12 @@ index 2354e21..9a5e1fd 100644
fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +84,17 @@ init_getattr_all_script_files(certmonger_t)
+@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t)
+ init_getattr_all_script_files(certmonger_t)
+
++libs_exec_ldconfig(certmonger_t)
++
logging_send_syslog_msg(certmonger_t)
-miscfiles_read_localization(certmonger_t)
@@ -11034,7 +11038,7 @@ index 2354e21..9a5e1fd 100644
')
optional_policy(`
-@@ -92,11 +107,51 @@ optional_policy(`
+@@ -92,11 +109,51 @@ optional_policy(`
')
optional_policy(`
@@ -13420,26 +13424,26 @@ index 2a71346..3a38b11 100644
')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
-index 0000000..ee6e817
+index 0000000..276ea8a
--- /dev/null
+++ b/cockpit.fc
-@@ -0,0 +1,9 @@
-+/usr/lib/systemd/system/cockpit.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+@@ -0,0 +1,10 @@
++# cockpit stuff
+
-+/usr/lib/systemd/system/cockpit.socket -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
-+/usr/lib/systemd/system/cockpitd.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
-+/usr/libexec/cockpitd -- gen_context(system_u:object_r:cockpit_exec_t,s0)
++/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
-+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
++/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
-index 0000000..25e3237
+index 0000000..573dcae
--- /dev/null
+++ b/cockpit.if
-@@ -0,0 +1,186 @@
-+
+@@ -0,0 +1,188 @@
+## policy for cockpit
+
+########################################
@@ -13452,13 +13456,32 @@ index 0000000..25e3237
+##
+##
+#
-+interface(`cockpit_domtrans',`
++interface(`cockpit_ws_domtrans',`
+ gen_require(`
-+ type cockpit_t, cockpit_exec_t;
++ type cockpit_ws_t, cockpit_ws_exec_t;
+ ')
+
+ corecmd_search_bin($1)
-+ domtrans_pattern($1, cockpit_exec_t, cockpit_t)
++ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
++')
++
++########################################
++##
++## Execute TEMPLATE in the cockpit domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cockpit_session_domtrans',`
++ gen_require(`
++ type cockpit_session_t, cockpit_session_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
@@ -13549,7 +13572,7 @@ index 0000000..25e3237
+#
+interface(`cockpit_systemctl',`
+ gen_require(`
-+ type cockpit_t;
++ type cockpit_ws_t;
+ type cockpit_unit_file_t;
+ ')
+
@@ -13558,33 +13581,12 @@ index 0000000..25e3237
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, cockpit_t)
++ ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+##
-+## Send and receive messages from
-+## cockpit over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`cockpit_dbus_chat',`
-+ gen_require(`
-+ type cockpit_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 cockpit_t:dbus send_msg;
-+ allow cockpit_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
+## All of the rules required to administrate
+## an cockpit environment
+##
@@ -13602,17 +13604,22 @@ index 0000000..25e3237
+#
+interface(`cockpit_admin',`
+ gen_require(`
-+ type cockpit_t;
++ type cockpit_ws_t;
++ type cockpit_session_t;
+ type cockpit_var_lib_t;
-+ type cockpit_unit_file_t;
++ type cockpit_unit_file_t;
+ ')
+
-+ allow $1 cockpit_t:process { signal_perms };
-+ ps_process_pattern($1, cockpit_t)
++ allow $1 cockpit_ws_t:process { signal_perms };
++ ps_process_pattern($1, cockpit_ws_t)
+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cockpit_t:process ptrace;
-+ ')
++ allow $1 cockpit_session_t:process { signal_perms };
++ ps_process_pattern($1, cockpit_session_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cockpit_ws_t:process ptrace;
++ allow $1 cockpit_session_t:process ptrace;
++ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, cockpit_var_lib_t)
@@ -13627,10 +13634,10 @@ index 0000000..25e3237
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 0000000..589262d
+index 0000000..cc6201d
--- /dev/null
+++ b/cockpit.te
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,89 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@@ -13638,93 +13645,87 @@ index 0000000..589262d
+# Declarations
+#
+
-+type cockpit_t;
-+type cockpit_exec_t;
-+init_daemon_domain(cockpit_t, cockpit_exec_t)
++type cockpit_ws_t;
++type cockpit_ws_exec_t;
++init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
-+type cockpit_var_lib_t;
-+files_type(cockpit_var_lib_t)
++type cockpit_tmp_t;
++files_tmp_file(cockpit_tmp_t)
+
+type cockpit_unit_file_t;
+systemd_unit_file(cockpit_unit_file_t)
+
++type cockpit_session_t;
++type cockpit_session_exec_t;
++domain_type(cockpit_session_t)
++domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
++
+########################################
+#
-+# cockpit local policy
++# cockpit_ws_t local policy
+#
-+allow cockpit_t self:capability net_admin;
-+allow cockpit_t self:fifo_file rw_fifo_file_perms;
-+allow cockpit_t self:unix_stream_socket create_stream_socket_perms;
-+allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow cockpit_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
-+files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file })
+
-+kernel_read_system_state(cockpit_t)
-+kernel_read_network_state(cockpit_t)
++allow cockpit_ws_t self:capability net_admin;
++allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+
-+corecmd_exec_bin(cockpit_t)
-+corecmd_exec_shell(cockpit_t)
++# cockpit-ws can execute cockpit-session
++can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
-+corenet_tcp_bind_cockpit_port(cockpit_t)
++# cockpit-ws can read from /dev/urandom
++dev_read_urand(cockpit_ws_t) # for authkey
++dev_read_rand(cockpit_ws_t) # for libssh
+
-+dev_read_sysfs(cockpit_t)
++# cockpit-ws can read from the cockpit port
++# TODO: disable this until we have it in our f20 selinux-policy-targeted
++# corenet_tcp_bind_cockpit_port(cockpit_ws_t)
++#allow cockpit_ws_t init_t:tcp_socket accept;
++corenet_tcp_bind_all_reserved_ports(cockpit_ws_t)
+
-+domain_use_interactive_fds(cockpit_t)
-+domain_read_all_domains_state(cockpit_t)
++# cockpit-ws can connect to other hosts via ssh
++corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
-+files_read_etc_files(cockpit_t)
-+files_list_tmp(cockpit_t)
++# cockpit-ws can write to its temp files
++manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
++manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
++files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
-+fs_read_tmpfs_symlinks(cockpit_t)
-+fs_list_cgroup_dirs(cockpit_t)
-+fs_read_cgroup_files(cockpit_t)
-+fs_getattr_all_fs(cockpit_t)
++auth_use_nsswitch(cockpit_ws_t)
+
-+auth_use_nsswitch(cockpit_t)
++logging_send_syslog_msg(cockpit_ws_t)
+
-+init_dbus_chat(cockpit_t)
-+init_status(cockpit_t)
-+init_read_state(cockpit_t)
-+init_list_pid_dirs(cockpit_t)
++# cockpit-ws launches cockpit-session
++cockpit_session_domtrans(cockpit_ws_t)
++allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
-+logging_send_syslog_msg(cockpit_t)
-+
-+miscfiles_read_localization(cockpit_t)
-+
-+systemd_status_all_unit_files(cockpit_t)
-+systemd_read_logind_sessions_files(cockpit_t)
-+
-+udev_read_pid_files(cockpit_t)
++# cockpit-session communicates back with cockpit-ws
++allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+optional_policy(`
-+ dbus_system_bus_client(cockpit_t)
-+ dbus_connect_system_bus(cockpit_t)
++ ssh_read_user_home_files(cockpit_ws_t)
++')
+
-+ optional_policy(`
-+ accountsd_dbus_chat(cockpit_t)
-+ ')
++#########################################################
++#
++# cockpit-session local policy
++#
+
-+ optional_policy(`
-+ devicekit_dbus_chat_disk(cockpit_t)
-+ devicekit_dbus_chat_power(cockpit_t)
-+ ')
++# cockpit-session changes to the actual logged in user
++allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid };
++allow cockpit_session_t self:process { setexec setsched signal_perms };
+
-+ optional_policy(`
-+ networkmanager_dbus_chat(cockpit_t)
-+ networkmanager_stream_connect(cockpit_t)
-+ ')
++# cockpit-session runs a full pam stack, including pam_selinux.so
++auth_login_pgm_domain(cockpit_session_t)
++auth_write_login_records(cockpit_session_t)
+
-+ optional_policy(`
-+ realmd_dbus_chat(cockpit_t)
-+ ')
++# cockpit-session can execute cockpit-agent as the user
++userdom_spec_domtrans_all_users(cockpit_session_t)
++
++optional_policy(`
++ userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
-+ docker_stream_connect(cockpit_t)
++ unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe..2e7d7ed 100644
@@ -34183,10 +34184,10 @@ index 580b533..c267cea 100644
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
-index ac6f9d5..6097225 100644
+index ac6f9d5..bd3a837 100644
--- a/icecast.te
+++ b/icecast.te
-@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t)
+@@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)
@@ -34195,10 +34196,10 @@ index ac6f9d5..6097225 100644
auth_use_nsswitch(icecast_t)
-miscfiles_read_localization(icecast_t)
--
++files_dontaudit_list_tmp(icecast_t)
+
tunable_policy(`icecast_use_any_tcp_ports',`
corenet_tcp_connect_all_ports(icecast_t)
- corenet_sendrecv_all_client_packets(icecast_t)
diff --git a/ifplugd.if b/ifplugd.if
index 8999899..96909ae 100644
--- a/ifplugd.if
@@ -37259,7 +37260,7 @@ index 0000000..0d61849
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
-index 0000000..879ab65
+index 0000000..a5b2f96
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,55 @@
@@ -37316,7 +37317,7 @@ index 0000000..879ab65
+logging_send_syslog_msg(keepalived_t)
+
+optional_policy(`
-+ snmp_read_snmp_var_lib_files(keepalived_t)
++ snmp_manage_var_lib_files(keepalived_t)
+')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd..b029c28 100644
@@ -43460,7 +43461,7 @@ index 0000000..8169129
+')
diff --git a/mip6d.te b/mip6d.te
new file mode 100644
-index 0000000..1d34063
+index 0000000..0f290e9
--- /dev/null
+++ b/mip6d.te
@@ -0,0 +1,33 @@
@@ -43483,7 +43484,7 @@ index 0000000..1d34063
+# mip6d local policy
+#
+allow mip6d_t self:capability { net_admin net_raw };
-+allow mip6d_t self:process { fork signal };
++allow mip6d_t self:process { setpgid fork signal };
+allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
+allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow mip6d_t self:rawip_socket create_socket_perms;
@@ -45875,7 +45876,7 @@ index 6194b80..7490fe3 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..6c2d2fa 100644
+index 6a306ee..7e2d4fc 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -46744,7 +46745,7 @@ index 6a306ee..6c2d2fa 100644
')
optional_policy(`
-@@ -568,108 +602,136 @@ optional_policy(`
+@@ -568,108 +602,137 @@ optional_policy(`
')
optional_policy(`
@@ -46939,6 +46940,7 @@ index 6a306ee..6c2d2fa 100644
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
++ corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..ae93e07 100644
@@ -66832,7 +66834,7 @@ index 2e23946..d8a163f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..c6cf897 100644
+index 191a66f..f88edc4 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -67014,9 +67016,8 @@ index 191a66f..c6cf897 100644
-########################################
-#
-# Common postfix user domain local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
@@ -67024,8 +67025,9 @@ index 191a66f..c6cf897 100644
-########################################
-#
-# Master local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -67177,10 +67179,6 @@ index 191a66f..c6cf897 100644
-optional_policy(`
- cyrus_stream_connect(postfix_master_t)
--')
--
--optional_policy(`
-- kerberos_keytab_template(postfix, postfix_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
@@ -67188,6 +67186,10 @@ index 191a66f..c6cf897 100644
')
optional_policy(`
+- kerberos_keytab_template(postfix, postfix_t)
+-')
+-
+-optional_policy(`
- mailman_manage_data_files(postfix_master_t)
+ cyrus_stream_connect(postfix_master_t)
')
@@ -67631,7 +67633,7 @@ index 191a66f..c6cf897 100644
')
optional_policy(`
-@@ -720,28 +658,28 @@ optional_policy(`
+@@ -720,28 +658,32 @@ optional_policy(`
########################################
#
@@ -67659,17 +67661,20 @@ index 191a66f..c6cf897 100644
-
corecmd_exec_bin(postfix_smtpd_t)
--fs_getattr_all_dirs(postfix_smtpd_t)
--fs_getattr_all_fs(postfix_smtpd_t)
+# for OpenSSL certificates
++
++# postfix checks the size of all mounted file systems
+ fs_getattr_all_dirs(postfix_smtpd_t)
+-fs_getattr_all_fs(postfix_smtpd_t)
-mta_read_aliases(postfix_smtpd_t)
-+# postfix checks the size of all mounted file systems
-+fs_getattr_all_dirs(postfix_smtpd_t)
++optional_policy(`
++ antivirus_stream_connect(postfix_smtpd_t)
++')
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -754,6 +692,7 @@ optional_policy(`
+@@ -754,6 +696,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -67677,7 +67682,7 @@ index 191a66f..c6cf897 100644
')
optional_policy(`
-@@ -764,31 +703,99 @@ optional_policy(`
+@@ -764,31 +707,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -79203,7 +79208,7 @@ index 56bc01f..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..503838b 100644
+index 2c2de9a..a470f79 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -79678,7 +79683,13 @@ index 2c2de9a..503838b 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -253,10 +556,14 @@ dev_rw_dlm_control(gfs_controld_t)
+ dev_setattr_dlm_control(gfs_controld_t)
+ dev_rw_sysfs(gfs_controld_t)
+
++fs_getattr_all_fs(gfs_controld_t)
++
+ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -79687,7 +79698,7 @@ index 2c2de9a..503838b 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +582,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -79744,7 +79755,7 @@ index 2c2de9a..503838b 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +672,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -108212,7 +108223,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..73ea90f 100644
+index 46e4cd3..bf87704 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
@@ -108251,7 +108262,7 @@ index 46e4cd3..73ea90f 100644
type zabbix_log_t;
logging_log_file(zabbix_log_t)
-@@ -36,27 +41,53 @@ files_tmp_file(zabbix_tmp_t)
+@@ -36,27 +41,54 @@ files_tmp_file(zabbix_tmp_t)
type zabbix_tmpfs_t;
files_tmpfs_file(zabbix_tmpfs_t)
@@ -108275,6 +108286,7 @@ index 46e4cd3..73ea90f 100644
+allow zabbix_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_all_sysctls(zabbix_domain)
++kernel_read_network_state(zabbix_domain)
+
+corenet_tcp_sendrecv_generic_if(zabbix_domain)
+corenet_tcp_sendrecv_generic_node(zabbix_domain)
@@ -108317,7 +108329,7 @@ index 46e4cd3..73ea90f 100644
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -70,13 +101,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -70,13 +102,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
kernel_read_system_state(zabbix_t)
@@ -108331,7 +108343,7 @@ index 46e4cd3..73ea90f 100644
corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -85,37 +112,30 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+@@ -85,37 +113,30 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
corenet_sendrecv_http_client_packets(zabbix_t)
corenet_tcp_connect_http_port(zabbix_t)
corenet_tcp_sendrecv_http_port(zabbix_t)
@@ -108377,7 +108389,7 @@ index 46e4cd3..73ea90f 100644
')
optional_policy(`
-@@ -125,6 +145,7 @@ optional_policy(`
+@@ -125,6 +146,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@@ -108385,7 +108397,7 @@ index 46e4cd3..73ea90f 100644
')
########################################
-@@ -132,18 +153,7 @@ optional_policy(`
+@@ -132,18 +154,7 @@ optional_policy(`
# Agent local policy
#
@@ -108405,7 +108417,7 @@ index 46e4cd3..73ea90f 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +161,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +162,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
@@ -108425,7 +108437,7 @@ index 46e4cd3..73ea90f 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,21 +184,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +185,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 61fcbb1..4702921 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 178%{?dist}
+Release: 179%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 23 2014 Lukas Vrabec 3.12.1-179
+- Bluejeans wants to connect to port 5000
+- Allow zabbix domains to access /proc//net/dev
+- Dontaudit list /tmp for icecast (#894387)
+- Allow postfix_smtpd to stream connect to antivirus (#1105889)
+- Allow gfs_controld_t to getattr on all file systems (#1110886)
+- Add setpgid process to mip6d
+- Allow keepalived manage snmp files(#1053450)
+- Allow certmonger to exec ldconfig to make ipa-server-install working. (#1122110)
+- Update cockpik policy from cockpit usptream.
+
* Fri Jul 18 2014 Lukas Vrabec 3.12.1-178
- Add logging_dontaudit_search_audit_logs()
- Clean up osad policy. Remove additional interfaces/rules