diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 764520e..cc34165 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -28899,7 +28899,7 @@ index 3efd5b6..42803b7 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..cc09db4 100644
+index 104037e..837948b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -29170,17 +29170,37 @@ index 104037e..cc09db4 100644
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
-@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
--tunable_policy(`authlogin_nsswitch_use_ldap',`
-- files_list_var_lib(nsswitch_domain)
+systemd_hostnamed_read_config(nsswitch_domain)
++
++
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+- files_list_var_lib(nsswitch_domain)
++ allow nsswitch_domain self:tcp_socket create_socket_perms;
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
++ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
++ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
++ corenet_tcp_connect_ldap_port(nsswitch_domain)
++ corenet_sendrecv_ldap_client_packets(nsswitch_domain)
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++ # Support for LDAPS
++ dev_read_rand(nsswitch_domain)
++ # LDAP Configuration using encrypted requires
++ dev_read_urand(nsswitch_domain)
++ sysnet_read_config(nsswitch_domain)
++')
+tunable_policy(`authlogin_nsswitch_use_ldap',`
miscfiles_read_generic_certs(nsswitch_domain)
- sysnet_use_ldap(nsswitch_domain)
+- sysnet_use_ldap(nsswitch_domain)
')
optional_policy(`
@@ -29191,10 +29211,11 @@ index 104037e..cc09db4 100644
+
+optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
++ ldap_read_certs(nsswitch_domain)
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -438,6 +480,7 @@ optional_policy(`
+@@ -438,6 +501,7 @@ optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
@@ -29202,7 +29223,7 @@ index 104037e..cc09db4 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +499,145 @@ optional_policy(`
+@@ -456,10 +520,145 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -39275,7 +39296,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..07fa942 100644
+index 6944526..50b1c3c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39571,15 +39592,18 @@ index 6944526..07fa942 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +904,11 @@ interface(`sysnet_use_ldap',`
+@@ -730,9 +901,14 @@ interface(`sysnet_use_ldap',`
+
+ # Support for LDAPS
+ dev_read_rand($1)
++ # LDAP Configuration using encrypted requires
dev_read_urand($1)
sysnet_read_config($1)
+
-+ # LDAP Configuration using encrypted requires
-+ dev_read_urand($1)
-+
-+ ldap_read_certs($1)
++ optional_policy(`
++ ldap_read_certs($1)
++ ')
')
########################################
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 66de755..3873d91 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -21943,7 +21943,7 @@ index c697edb..31d45bf 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index c93c3db..cdb4d60 100644
+index c93c3db..5d61f10 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -21972,23 +21972,39 @@ index c93c3db..cdb4d60 100644
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
-@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
+@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
-miscfiles_read_localization(dhcpd_t)
-
++sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
- sysnet_use_ldap(dhcpd_t)
- ')
+ userdom_dontaudit_search_user_home_dirs(dhcpd_t)
-+ifdef(`distro_gentoo',`
-+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ tunable_policy(`dhcpd_use_ldap',`
+- sysnet_use_ldap(dhcpd_t)
++ allow dhcpd_t self:tcp_socket create_socket_perms;
++')
++
++tunable_policy(`dhcpd_use_ldap',`
++ corenet_tcp_sendrecv_generic_if(dhcpd_t)
++ corenet_tcp_sendrecv_generic_node(dhcpd_t)
++ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
++ corenet_tcp_connect_ldap_port(dhcpd_t)
++ corenet_sendrecv_ldap_client_packets(dhcpd_t)
++')
++
++tunable_policy(`dhcpd_use_ldap',`
++ ldap_read_certs(dhcpd_t)
+')
+
++ifdef(`distro_gentoo',`
++ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ ')
+
optional_policy(`
+ # used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
@@ -46493,15 +46509,17 @@ index c97c177..9411154 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..cb2791a 100644
+index f42896c..36b363c 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+@@ -1,34 +1,44 @@
+-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
++HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
@@ -46523,10 +46541,10 @@ index f42896c..cb2791a 100644
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
-+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -46554,7 +46572,7 @@ index f42896c..cb2791a 100644
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..e968c28 100644
+index ed81cac..8f217ea 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -47494,7 +47512,7 @@ index ed81cac..e968c28 100644
##
##
##
-@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -47621,6 +47639,7 @@ index ed81cac..e968c28 100644
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
@@ -47645,6 +47664,7 @@ index ed81cac..e968c28 100644
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
@@ -73581,10 +73601,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..8c49752 100644
+index 769d1fd..495cac4 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,134 @@
+@@ -1,96 +1,137 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -73634,7 +73654,7 @@ index 769d1fd..8c49752 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit signal_perms };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
@@ -73648,39 +73668,38 @@ index 769d1fd..8c49752 100644
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
++
++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
-+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
-+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
-
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++can_exec(neutron_t, neutron_tmp_t)
+
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
-+can_exec(neutron_t, neutron_tmp_t)
-
--can_exec(quantum_t, quantum_tmp_t)
-+kernel_rw_kernel_sysctl(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
++kernel_rw_kernel_sysctl(neutron_t)
++kernel_rw_net_sysctls(neutron_t)
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
+-can_exec(quantum_t, quantum_tmp_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@@ -73688,33 +73707,37 @@ index 769d1fd..8c49752 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
--files_read_usr_files(quantum_t)
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
--auth_use_nsswitch(quantum_t)
+-files_read_usr_files(quantum_t)
+files_mounton_non_security(neutron_t)
+-auth_use_nsswitch(quantum_t)
++fs_getattr_all_fs(neutron_t)
+
-libs_exec_ldconfig(quantum_t)
+auth_use_nsswitch(neutron_t)
@@ -73730,46 +73753,46 @@ index 769d1fd..8c49752 100644
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
++
++optional_policy(`
++ brctl_domtrans(neutron_t)
++')
optional_policy(`
- brctl_domtrans(quantum_t)
-+ brctl_domtrans(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_kill(neutron_t)
++ dnsmasq_read_state(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ dnsmasq_domtrans(neutron_t)
-+ dnsmasq_signal(neutron_t)
-+ dnsmasq_kill(neutron_t)
-+ dnsmasq_read_state(neutron_t)
++ iptables_domtrans(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
-+ iptables_domtrans(neutron_t)
- ')
-
- optional_policy(`
-- postgresql_stream_connect(quantum_t)
-- postgresql_unpriv_client(quantum_t)
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
-+')
+ ')
-- postgresql_tcp_connect(quantum_t)
-+optional_policy(`
+ optional_policy(`
+- postgresql_stream_connect(quantum_t)
+- postgresql_unpriv_client(quantum_t)
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
- ')
-+
++')
+
+- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
-+')
+ ')
+
+optional_policy(`
+ sudo_exec(neutron_t)
@@ -94435,10 +94458,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..3faae22
+index 0000000..159ae72
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,89 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -94515,6 +94538,8 @@ index 0000000..3faae22
+
+files_dontaudit_search_home(swift_t)
+
++fs_getattr_all_fs(swift_t)
++
+auth_use_nsswitch(swift_t)
+
+libs_exec_ldconfig(swift_t)
@@ -101566,7 +101591,7 @@ index 9dec06c..88dcafb 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..57af4d0 100644
+index 1f22fba..b1ba89c 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,209 @@
@@ -102420,7 +102445,7 @@ index 1f22fba..57af4d0 100644
tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files(virtd_t)
-+ fs_manage_nfs_files(virtd_t)
++ fs_manage_cifs_dirs(virtd_t)
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
@@ -102763,9 +102788,9 @@ index 1f22fba..57af4d0 100644
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
-
-+ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
++ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
virt_domtrans(virsh_t)
virt_manage_images(virsh_t)
@@ -102845,10 +102870,10 @@ index 1f22fba..57af4d0 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -103045,12 +103070,12 @@ index 1f22fba..57af4d0 100644
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -103416,10 +103441,10 @@ index 1f22fba..57af4d0 100644
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(svirt_sandbox_file_t)
++
++auth_use_nsswitch(svirt_qemu_net_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
-+auth_use_nsswitch(svirt_qemu_net_t)
-+
+rpm_read_db(svirt_qemu_net_t)
+
+logging_send_syslog_msg(svirt_qemu_net_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 97c4076..b32d916 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 157%{?dist}
+Release: 158%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 25 2014 Lukas Vrabec 3.12.1-158
+- Fix bug in policy, needs back port to RHEL7/RHEL6
+- optional can not be used in boolean. But we want to call ldap_read_certs() in sysnet_use_ldap
+- Add support for ~/.esmtp_queue directory
+- Allow net_raw for neutron
+- ALlow dac_override to neutron_t
+- Allow neutron to r/w net sysctls
+- Allow neutron to getattr on all filesystems
+- Allow swift to getattr on all filesystems
+- Clean up sysnet_use_ldap()
+
* Fri Apr 25 2014 Lukas Vrabec 3.12.1-157
- Added fprintd dontaudit tmp dirs rule
- Add interface to allow tools to check the processes state of bind/named