diff --git a/policy-F15.patch b/policy-F15.patch
index 9732ec0..6f4279d 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -938,19 +938,20 @@ index 75ce30f..0e77aea 100644
  ')
  
 diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
-index 56c43c0..de535e4 100644
+index 56c43c0..0641226 100644
 --- a/policy/modules/admin/mcelog.fc
 +++ b/policy/modules/admin/mcelog.fc
-@@ -1 +1,4 @@
+@@ -1 +1,5 @@
  /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
 +
-+/var/run/mcelog-client  -s 	gen_context(system_u:object_r:mcelog_var_run_t,s0)
++/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
 +
++/var/run/mcelog-client  -s 	gen_context(system_u:object_r:mcelog_var_run_t,s0)
 diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..24a6ad6 100644
+index 5671977..ef8bc09 100644
 --- a/policy/modules/admin/mcelog.te
 +++ b/policy/modules/admin/mcelog.te
-@@ -7,8 +7,11 @@ policy_module(mcelog, 1.1.0)
+@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
  
  type mcelog_t;
  type mcelog_exec_t;
@@ -960,13 +961,20 @@ index 5671977..24a6ad6 100644
 +
 +type mcelog_var_run_t;
 +files_pid_file(mcelog_var_run_t)
++
++type mcelog_log_t;
++logging_log_file(mcelog_log_t)
  
  ########################################
  #
-@@ -17,10 +20,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
  
  allow mcelog_t self:capability sys_admin;
  
++manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
++
 +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
 +manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
 +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
@@ -982,7 +990,7 @@ index 5671977..24a6ad6 100644
  
  files_read_etc_files(mcelog_t)
  
-@@ -30,3 +41,7 @@ mls_file_read_all_levels(mcelog_t)
+@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t)
  logging_send_syslog_msg(mcelog_t)
  
  miscfiles_read_localization(mcelog_t)
@@ -23636,10 +23644,10 @@ index 0000000..939d76e
 +')
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
 new file mode 100644
-index 0000000..9fe6628
+index 0000000..ebad6da
 --- /dev/null
 +++ b/policy/modules/services/colord.te
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,124 @@
 +policy_module(colord,1.0.0)
 +
 +########################################
@@ -23733,6 +23741,7 @@ index 0000000..9fe6628
 +sysnet_dns_name_resolve(colord_t)
 +
 +userdom_read_inherited_user_home_content_files(colord_t)
++userdom_rw_user_tmpfs_files(colord_t)
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +		fs_read_nfs_files(colord_t)
@@ -24123,7 +24132,7 @@ index 13d2f63..a048c53 100644
  type cpuspeed_t;
  type cpuspeed_exec_t;
 diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..6030f34 100644
+index 2eefc08..34ab5ce 100644
 --- a/policy/modules/services/cron.fc
 +++ b/policy/modules/services/cron.fc
 @@ -14,9 +14,10 @@
@@ -24138,14 +24147,12 @@ index 2eefc08..6030f34 100644
  
  /var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
-@@ -45,3 +46,7 @@ ifdef(`distro_suse', `
+@@ -45,3 +46,5 @@ ifdef(`distro_suse', `
  /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 +
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
-+
-+/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
 index 35241ed..a75e22c 100644
 --- a/policy/modules/services/cron.if
@@ -27238,7 +27245,7 @@ index e1d7dc5..673f185 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..ce42295 100644
+index cbe14e4..b0a8e17 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -27340,7 +27347,16 @@ index cbe14e4..ce42295 100644
  manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -235,6 +255,8 @@ optional_policy(`
+@@ -200,6 +220,8 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+ kernel_read_all_sysctls(dovecot_auth_t)
+ kernel_read_system_state(dovecot_auth_t)
+ 
++corecmd_exec_bin(dovecot_auth_t)
++
+ logging_send_audit_msgs(dovecot_auth_t)
+ logging_send_syslog_msg(dovecot_auth_t)
+ 
+@@ -235,6 +257,8 @@ optional_policy(`
  optional_policy(`
  	mysql_search_db(dovecot_auth_t)
  	mysql_stream_connect(dovecot_auth_t)
@@ -27349,7 +27365,7 @@ index cbe14e4..ce42295 100644
  ')
  
  optional_policy(`
-@@ -242,6 +264,8 @@ optional_policy(`
+@@ -242,6 +266,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27358,7 +27374,7 @@ index cbe14e4..ce42295 100644
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -249,23 +273,42 @@ optional_policy(`
+@@ -249,23 +275,42 @@ optional_policy(`
  #
  # dovecot deliver local policy
  #
@@ -27403,7 +27419,7 @@ index cbe14e4..ce42295 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -301,5 +344,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +346,15 @@ tunable_policy(`use_samba_home_dirs',`
  ')
  
  optional_policy(`
@@ -28306,7 +28322,7 @@ index bc27421..a65582e 100644
  ## <summary>
  ##	Allow domain dyntransition to sftpd_anon domain.
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..f735e6b 100644
+index 8a74a83..f947224 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
 @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -28349,7 +28365,15 @@ index 8a74a83..f735e6b 100644
  ########################################
  #
  # anon-sftp local policy
-@@ -133,7 +152,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -122,6 +141,7 @@ ifdef(`enable_mcs',`
+ 
+ files_read_etc_files(anon_sftpd_t)
+ 
++miscfiles_read_localization(anon_sftpd_t)
+ miscfiles_read_public_files(anon_sftpd_t)
+ 
+ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +153,7 @@ tunable_policy(`sftpd_anon_write',`
  # ftpd local policy
  #
  
@@ -28358,7 +28382,7 @@ index 8a74a83..f735e6b 100644
  dontaudit ftpd_t self:capability sys_tty_config;
  allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
  allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +170,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +171,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
  
  manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
  manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -28366,7 +28390,7 @@ index 8a74a83..f735e6b 100644
  
  manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
  manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +181,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +182,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
  manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
  manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
  manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -28382,7 +28406,7 @@ index 8a74a83..f735e6b 100644
  
  # Create and modify /var/log/xferlog.
  manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -219,6 +237,7 @@ auth_append_login_records(ftpd_t)
+@@ -219,6 +238,7 @@ auth_append_login_records(ftpd_t)
  #kerberized ftp requires the following
  auth_write_login_records(ftpd_t)
  auth_rw_faillog(ftpd_t)
@@ -28390,7 +28414,7 @@ index 8a74a83..f735e6b 100644
  
  init_rw_utmp(ftpd_t)
  
-@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',`
  	# allow access to /home
  	files_list_home(ftpd_t)
  	userdom_read_user_home_content_files(ftpd_t)
@@ -28408,7 +28432,7 @@ index 8a74a83..f735e6b 100644
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -316,6 +338,25 @@ optional_policy(`
+@@ -316,6 +339,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28434,7 +28458,7 @@ index 8a74a83..f735e6b 100644
  	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
  
  	optional_policy(`
-@@ -347,10 +388,11 @@ optional_policy(`
+@@ -347,10 +389,11 @@ optional_policy(`
  
  # Allow ftpdctl to talk to ftpd over a socket connection
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -28447,12 +28471,14 @@ index 8a74a83..f735e6b 100644
  files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
  
  # Allow ftpdctl to read config files
-@@ -368,15 +410,28 @@ files_read_etc_files(sftpd_t)
+@@ -368,15 +411,30 @@ files_read_etc_files(sftpd_t)
  # allow read access to /home by default
  userdom_read_user_home_content_files(sftpd_t)
  userdom_read_user_home_content_symlinks(sftpd_t)
 +userdom_dontaudit_list_admin_dir(sftpd_t)
 +
++miscfiles_read_localization(sftpd_t)
++
 +tunable_policy(`sftpd_full_access',`
 +	allow sftpd_t self:capability { dac_override dac_read_search };
 +	fs_read_noxattr_fs_files(sftpd_t)
@@ -37772,7 +37798,7 @@ index 46bee12..83cb270 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..e160aa1 100644
+index 06e37d4..b4d7354 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -37892,7 +37918,7 @@ index 06e37d4..e160aa1 100644
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -220,7 +239,7 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +239,17 @@ allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -37901,7 +37927,17 @@ index 06e37d4..e160aa1 100644
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -264,8 +283,8 @@ optional_policy(`
+ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+ 
++manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+@@ -264,8 +287,8 @@ optional_policy(`
  # Postfix local local policy
  #
  
@@ -37911,7 +37947,7 @@ index 06e37d4..e160aa1 100644
  
  # connect to master process
  stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +292,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +296,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
  # for .forward - maybe we need a new type for it?
  rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
  
@@ -37920,7 +37956,7 @@ index 06e37d4..e160aa1 100644
  allow postfix_local_t postfix_spool_t:file rw_file_perms;
  
  corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +307,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +311,15 @@ mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
  mta_read_config(postfix_local_t)
@@ -37939,7 +37975,7 @@ index 06e37d4..e160aa1 100644
  
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
-@@ -304,9 +330,22 @@ optional_policy(`
+@@ -304,9 +334,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37962,7 +37998,7 @@ index 06e37d4..e160aa1 100644
  ########################################
  #
  # Postfix map local policy
-@@ -372,6 +411,7 @@ optional_policy(`
+@@ -372,6 +415,7 @@ optional_policy(`
  # Postfix pickup local policy
  #
  
@@ -37970,7 +38006,18 @@ index 06e37d4..e160aa1 100644
  allow postfix_pickup_t self:tcp_socket create_socket_perms;
  
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -390,8 +430,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -381,6 +425,10 @@ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+ 
+ postfix_list_spool(postfix_pickup_t)
+ 
++allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
++read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++
+ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+ read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+@@ -390,8 +438,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
  # Postfix pipe local policy
  #
  
@@ -37980,7 +38027,7 @@ index 06e37d4..e160aa1 100644
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
  
-@@ -401,6 +441,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +449,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -37989,7 +38036,7 @@ index 06e37d4..e160aa1 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +462,7 @@ optional_policy(`
+@@ -420,6 +470,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -37997,7 +38044,7 @@ index 06e37d4..e160aa1 100644
  ')
  
  optional_policy(`
-@@ -436,6 +479,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +487,9 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -38007,7 +38054,7 @@ index 06e37d4..e160aa1 100644
  rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
  
  postfix_list_spool(postfix_postdrop_t)
-@@ -507,6 +553,8 @@ optional_policy(`
+@@ -507,6 +561,8 @@ optional_policy(`
  # Postfix qmgr local policy
  #
  
@@ -38016,20 +38063,20 @@ index 06e37d4..e160aa1 100644
  stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +567,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +575,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
 -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
 +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
 +
-+allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms;
-+allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms;
++manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 +allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +591,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +599,7 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -38038,7 +38085,7 @@ index 06e37d4..e160aa1 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +640,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +648,16 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -38055,7 +38102,18 @@ index 06e37d4..e160aa1 100644
  ')
  
  optional_policy(`
-@@ -611,8 +669,8 @@ optional_policy(`
+@@ -599,6 +665,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	mysql_stream_connect(postfix_smtpd_t)
++')
++
++optional_policy(`
+ 	postgrey_stream_connect(postfix_smtpd_t)
+ ')
+ 
+@@ -611,8 +681,8 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -38065,7 +38123,7 @@ index 06e37d4..e160aa1 100644
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
-@@ -630,3 +688,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +700,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -45969,10 +46027,10 @@ index 2124b6a..7b0af0f 100644
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..b961fd7 100644
+index 7c5d8d8..03cc7aee 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
-@@ -13,14 +13,15 @@
+@@ -13,39 +13,42 @@
  #
  template(`virt_domain_template',`
  	gen_require(`
@@ -45981,6 +46039,7 @@ index 7c5d8d8..b961fd7 100644
 -		attribute virt_domain;
 +		attribute virt_image_type, virt_domain;
 +		attribute virt_tmpfs_type;
++		attribute virt_ptynode;
  	')
  
  	type $1_t, virt_domain;
@@ -45990,8 +46049,10 @@ index 7c5d8d8..b961fd7 100644
 +	mcs_untrusted_proc($1_t)
  	role system_r types $1_t;
  
- 	type $1_devpts_t;
-@@ -29,23 +30,24 @@ template(`virt_domain_template',`
+-	type $1_devpts_t;
++	type $1_devpts_t, virt_ptynode;
+ 	term_pty($1_devpts_t)
+ 
  	type $1_tmp_t;
  	files_tmp_file($1_tmp_t)
  
@@ -46021,7 +46082,7 @@ index 7c5d8d8..b961fd7 100644
  
  	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
  	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +59,6 @@ template(`virt_domain_template',`
+@@ -57,18 +60,6 @@ template(`virt_domain_template',`
  	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
  
@@ -46040,7 +46101,7 @@ index 7c5d8d8..b961fd7 100644
  	optional_policy(`
  		xserver_rw_shm($1_t)
  	')
-@@ -101,9 +91,9 @@ interface(`virt_image',`
+@@ -101,9 +92,9 @@ interface(`virt_image',`
  ##	Execute a domain transition to run virt.
  ## </summary>
  ## <param name="domain">
@@ -46052,7 +46113,7 @@ index 7c5d8d8..b961fd7 100644
  ## </param>
  #
  interface(`virt_domtrans',`
-@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',`
  #
  interface(`virt_read_config',`
  	gen_require(`
@@ -46068,7 +46129,7 @@ index 7c5d8d8..b961fd7 100644
  ')
  
  ########################################
-@@ -185,13 +175,13 @@ interface(`virt_read_config',`
+@@ -185,13 +176,13 @@ interface(`virt_read_config',`
  #
  interface(`virt_manage_config',`
  	gen_require(`
@@ -46084,7 +46145,7 @@ index 7c5d8d8..b961fd7 100644
  ')
  
  ########################################
-@@ -231,6 +221,24 @@ interface(`virt_read_content',`
+@@ -231,6 +222,24 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -46109,7 +46170,7 @@ index 7c5d8d8..b961fd7 100644
  ##	Read virt PID files.
  ## </summary>
  ## <param name="domain">
-@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',`
  
  ########################################
  ## <summary>
@@ -46146,7 +46207,7 @@ index 7c5d8d8..b961fd7 100644
  ##	Search virt lib directories.
  ## </summary>
  ## <param name="domain">
-@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',`
  
  ########################################
  ## <summary>
@@ -46171,7 +46232,7 @@ index 7c5d8d8..b961fd7 100644
  ##	Create, read, write, and delete
  ##	virt lib files.
  ## </summary>
-@@ -352,9 +408,9 @@ interface(`virt_read_log',`
+@@ -352,9 +409,9 @@ interface(`virt_read_log',`
  ##	virt log files.
  ## </summary>
  ## <param name="domain">
@@ -46183,7 +46244,7 @@ index 7c5d8d8..b961fd7 100644
  ## </param>
  #
  interface(`virt_append_log',`
-@@ -424,6 +480,24 @@ interface(`virt_read_images',`
+@@ -424,6 +481,24 @@ interface(`virt_read_images',`
  
  ########################################
  ## <summary>
@@ -46208,7 +46269,7 @@ index 7c5d8d8..b961fd7 100644
  ##	Create, read, write, and delete
  ##	svirt cache files.
  ## </summary>
-@@ -433,15 +507,15 @@ interface(`virt_read_images',`
+@@ -433,15 +508,15 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -46229,7 +46290,7 @@ index 7c5d8d8..b961fd7 100644
  ')
  
  ########################################
-@@ -500,6 +574,7 @@ interface(`virt_manage_images',`
+@@ -500,6 +575,7 @@ interface(`virt_manage_images',`
  interface(`virt_admin',`
  	gen_require(`
  		type virtd_t, virtd_initrc_exec_t;
@@ -46237,7 +46298,7 @@ index 7c5d8d8..b961fd7 100644
  	')
  
  	allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +590,149 @@ interface(`virt_admin',`
+@@ -515,4 +591,149 @@ interface(`virt_admin',`
  	virt_manage_lib_files($1)
  
  	virt_manage_log($1)
@@ -46388,14 +46449,15 @@ index 7c5d8d8..b961fd7 100644
 +	allow $1 virt_tmpfs_type:file manage_file_perms;
  ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..1d39c1b 100644
+index 3eca020..931dbce 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
-@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
  # Declarations
  #
  
 +attribute virsh_transition_domain;
++attribute virt_ptynode;
 +
  ## <desc>
 -## <p>
@@ -46479,7 +46541,7 @@ index 3eca020..1d39c1b 100644
  
  type virt_etc_t;
  files_config_file(virt_etc_t)
-@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +73,31 @@ files_config_file(virt_etc_t)
  type virt_etc_rw_t;
  files_type(virt_etc_rw_t)
  
@@ -46512,7 +46574,7 @@ index 3eca020..1d39c1b 100644
  
  type virtd_t;
  type virtd_exec_t;
-@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +108,11 @@ domain_subj_id_change_exemption(virtd_t)
  type virtd_initrc_exec_t;
  init_script_file(virtd_initrc_exec_t)
  
@@ -46524,7 +46586,7 @@ index 3eca020..1d39c1b 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +128,12 @@ ifdef(`enable_mls',`
  
  allow svirt_t self:udp_socket create_socket_perms;
  
@@ -46541,7 +46603,7 @@ index 3eca020..1d39c1b 100644
  fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
  
  list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -120,6 +140,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+@@ -120,6 +141,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
  dontaudit svirt_t virt_content_t:file write_file_perms;
  dontaudit svirt_t virt_content_t:dir write;
  
@@ -46551,7 +46613,7 @@ index 3eca020..1d39c1b 100644
  corenet_udp_sendrecv_generic_if(svirt_t)
  corenet_udp_sendrecv_generic_node(svirt_t)
  corenet_udp_sendrecv_all_ports(svirt_t)
-@@ -133,6 +156,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +157,8 @@ dev_list_sysfs(svirt_t)
  userdom_search_user_home_content(svirt_t)
  userdom_read_user_home_content_symlinks(svirt_t)
  userdom_read_all_users_state(svirt_t)
@@ -46560,7 +46622,7 @@ index 3eca020..1d39c1b 100644
  
  tunable_policy(`virt_use_comm',`
  	term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +172,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +173,15 @@ tunable_policy(`virt_use_fusefs',`
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(svirt_t)
  	fs_manage_nfs_files(svirt_t)
@@ -46576,7 +46638,7 @@ index 3eca020..1d39c1b 100644
  ')
  
  tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +189,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +190,22 @@ tunable_policy(`virt_use_sysfs',`
  
  tunable_policy(`virt_use_usb',`
  	dev_rw_usbfs(svirt_t)
@@ -46599,7 +46661,7 @@ index 3eca020..1d39c1b 100644
  	xen_rw_image_files(svirt_t)
  ')
  
-@@ -174,21 +214,33 @@ optional_policy(`
+@@ -174,21 +215,33 @@ optional_policy(`
  #
  
  allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -46637,7 +46699,7 @@ index 3eca020..1d39c1b 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +252,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +253,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -46646,6 +46708,7 @@ index 3eca020..1d39c1b 100644
 +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 +allow virtd_t virt_image_type:file relabel_file_perms;
 +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_ptynode:chr_file rw_term_perms;
 +
 +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -46654,7 +46717,7 @@ index 3eca020..1d39c1b 100644
  
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +280,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
@@ -46662,7 +46725,7 @@ index 3eca020..1d39c1b 100644
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  
-@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +300,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
@@ -46695,7 +46758,7 @@ index 3eca020..1d39c1b 100644
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +332,18 @@ fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -46714,7 +46777,7 @@ index 3eca020..1d39c1b 100644
  
  mcs_process_set_categories(virtd_t)
  
-@@ -285,16 +365,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +367,30 @@ modutils_read_module_config(virtd_t)
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
@@ -46745,7 +46808,7 @@ index 3eca020..1d39c1b 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +407,10 @@ optional_policy(`
+@@ -313,6 +409,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46756,7 +46819,7 @@ index 3eca020..1d39c1b 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -329,6 +427,10 @@ optional_policy(`
+@@ -329,6 +429,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46767,7 +46830,7 @@ index 3eca020..1d39c1b 100644
  	dnsmasq_domtrans(virtd_t)
  	dnsmasq_signal(virtd_t)
  	dnsmasq_kill(virtd_t)
-@@ -365,6 +467,8 @@ optional_policy(`
+@@ -365,6 +469,8 @@ optional_policy(`
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -46776,7 +46839,7 @@ index 3eca020..1d39c1b 100644
  ')
  
  optional_policy(`
-@@ -394,14 +498,26 @@ optional_policy(`
+@@ -394,14 +500,26 @@ optional_policy(`
  # virtual domains common policy
  #
  
@@ -46805,7 +46868,7 @@ index 3eca020..1d39c1b 100644
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +538,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +540,7 @@ corenet_rw_tun_tap_dev(virt_domain)
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -46813,7 +46876,7 @@ index 3eca020..1d39c1b 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +546,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +548,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -46826,7 +46889,7 @@ index 3eca020..1d39c1b 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,6 +559,14 @@ files_search_all(virt_domain)
+@@ -440,6 +561,14 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -46841,7 +46904,7 @@ index 3eca020..1d39c1b 100644
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -457,8 +584,117 @@ optional_policy(`
+@@ -457,8 +586,117 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46866,7 +46929,7 @@ index 3eca020..1d39c1b 100644
 +typealias virsh_exec_t alias xm_exec_t;
 +
 +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
-+allow virsh_t self:process { getcap getsched setcap signal };
++allow virsh_t self:process { getcap getsched setsched setcap signal };
 +allow virsh_t self:fifo_file rw_fifo_file_perms;
 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virsh_t self:tcp_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c0798d7..d74f323 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 33%{?dist}
+Release: 34%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
 %endif
 
 %changelog
+* Fri Jul 15 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-34
+- More fixes for postfix policy
+- Allow virsh_t setsched
+- Add mcelog_log_t type for mcelog log file
+- Add virt_ptynode attribute
+
 * Mon Jul 11 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-33
 - Add l2tpd policy
 - Fixes for abrt