diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 72e3179..901141a 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -117703,7 +117703,7 @@ index 8796ca3..cb02728 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..37f3b90 100644
+index e1e814d..360fbbd 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -55,6 +55,7 @@
@@ -118225,7 +118225,33 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3059,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Setattr of directories on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_isid_type_dirs',`
++	gen_require(`
++		type file_t;
++	')
++
++	allow $1 file_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to search directories on new filesystems
+ ##	that have not yet been labeled.
+ ## </summary>
+@@ -3135,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -118251,7 +118277,7 @@ index e1e814d..37f3b90 100644
  ##	Create, read, write, and delete directories
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',`
  
  ########################################
  ## <summary>
@@ -118277,7 +118303,7 @@ index e1e814d..37f3b90 100644
  ##	Create, read, write, and delete block device nodes
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +4091,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -118321,7 +118347,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -4126,6 +4493,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4512,133 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -118455,7 +118481,7 @@ index e1e814d..37f3b90 100644
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -4148,6 +4642,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4661,26 @@ interface(`files_associate_tmp',`
  
  ########################################
  ## <summary>
@@ -118482,7 +118508,7 @@ index e1e814d..37f3b90 100644
  ##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4161,6 +4675,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4694,7 @@ interface(`files_getattr_tmp_dirs',`
  		type tmp_t;
  	')
  
@@ -118490,7 +118516,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir getattr;
  ')
  
-@@ -4171,7 +4686,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4705,7 @@ interface(`files_getattr_tmp_dirs',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -118499,7 +118525,7 @@ index e1e814d..37f3b90 100644
  ##	</summary>
  ## </param>
  #
-@@ -4198,6 +4713,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4732,7 @@ interface(`files_search_tmp',`
  		type tmp_t;
  	')
  
@@ -118507,7 +118533,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4234,6 +4750,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4769,7 @@ interface(`files_list_tmp',`
  		type tmp_t;
  	')
  
@@ -118515,7 +118541,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4243,7 +4760,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4779,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -118524,7 +118550,7 @@ index e1e814d..37f3b90 100644
  ##	</summary>
  ## </param>
  #
-@@ -4255,6 +4772,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4791,25 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
@@ -118550,7 +118576,7 @@ index e1e814d..37f3b90 100644
  ########################################
  ## <summary>
  ##	Remove entries from the tmp directory.
-@@ -4270,6 +4806,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4825,7 @@ interface(`files_delete_tmp_dir_entry',`
  		type tmp_t;
  	')
  
@@ -118558,7 +118584,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
  
-@@ -4311,6 +4848,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4867,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -118591,29 +118617,198 @@ index e1e814d..37f3b90 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4365,6 +4928,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,7 +4947,7 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
+-##	Set the attributes of all tmp directories.
 +##	Relabel a dir from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4373,17 +4955,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
++	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List all tmp directories.
++##	Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4391,59 +4973,53 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	directory types.
++##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
+-		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
++##	Allow caller to read inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_read_inherited_tmp_files',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 tmpfile:file getattr;
++	allow $1 tmpfile:file { append read_inherited_file_perms };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4451,54 +5027,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_append_inherited_tmp_files',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	allow $1 tmpfile:file getattr;
++	allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	file types.
++##	List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ 	gen_require(`
+ 		attribute tmpfile;
+-		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_files_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	Relabel to and from all temporary
++##	directory types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_relabel_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
+-')
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
 +	gen_require(`
-+		type tmp_t;
++		attribute tmpfile;
 +	')
 +
-+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmpfile:file getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Relabel a file from the type used in /tmp.
++##	Allow attempts to get the attributes
++##	of all tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -118621,81 +118816,58 @@ index e1e814d..37f3b90 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
 +	gen_require(`
-+		type tmp_t;
++		attribute tmpfile;
 +	')
 +
-+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmpfile:file getattr;
 +')
 +
 +########################################
 +## <summary>
- ##	Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4383,6 +4982,42 @@ interface(`files_setattr_all_tmp_dirs',`
- 
- ########################################
- ## <summary>
-+##	Allow caller to read inherited tmp files.
++##	Relabel to and from all temporary
++##	file types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_relabel_all_tmp_files',`
 +	gen_require(`
 +		attribute tmpfile;
++		type var_t;
 +	')
 +
-+	allow $1 tmpfile:file { append read_inherited_file_perms };
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to append inherited tmp files.
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
 +	gen_require(`
 +		attribute tmpfile;
 +	')
 +
-+	allow $1 tmpfile:file append_inherited_file_perms;
++	dontaudit $1 tmpfile:sock_file getattr;
 +')
-+
-+########################################
-+## <summary>
- ##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4428,7 +5063,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4488,7 +5123,7 @@ interface(`files_relabel_all_tmp_files',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4573,6 +5208,16 @@ interface(`files_purge_tmp',`
+ 
+ ########################################
+ ## <summary>
+@@ -4573,6 +5227,16 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118712,17 +118884,14 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5150,12 +5795,30 @@ interface(`files_list_var',`
+@@ -5150,6 +5814,24 @@ interface(`files_list_var',`
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories
--##	in the /var directory.
 +##	Do not audit listing of the var directory (/var).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
@@ -118737,16 +118906,10 @@ index e1e814d..37f3b90 100644
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete directories
-+##	in the /var directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
-@@ -5505,6 +6168,25 @@ interface(`files_read_var_lib_symlinks',`
+ ##	Create, read, write, and delete directories
+ ##	in the /var directory.
+ ## </summary>
+@@ -5505,6 +6187,25 @@ interface(`files_read_var_lib_symlinks',`
  	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
@@ -118772,7 +118935,7 @@ index e1e814d..37f3b90 100644
  # cjp: the next two interfaces really need to be fixed
  # in some way.  They really neeed their own types.
  
-@@ -5550,7 +6232,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6251,7 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -118781,7 +118944,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5558,12 +6240,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6259,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
@@ -118797,7 +118960,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5581,6 +6264,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6283,7 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118805,7 +118968,7 @@ index e1e814d..37f3b90 100644
  	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
-@@ -5607,7 +6291,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6310,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
@@ -118833,7 +118996,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5615,13 +6318,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6337,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -118850,7 +119013,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5640,7 +6342,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6361,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -118859,7 +119022,7 @@ index e1e814d..37f3b90 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5673,7 +6375,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6394,6 @@ interface(`files_create_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -118867,7 +119030,7 @@ index e1e814d..37f3b90 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5701,8 +6402,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6421,7 @@ interface(`files_getattr_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118877,7 +119040,7 @@ index e1e814d..37f3b90 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5718,13 +6418,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6437,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -118895,7 +119058,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5743,8 +6442,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6461,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118905,7 +119068,7 @@ index e1e814d..37f3b90 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5786,8 +6484,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6503,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118915,7 +119078,7 @@ index e1e814d..37f3b90 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6506,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6525,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118925,7 +119088,7 @@ index e1e814d..37f3b90 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6543,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6562,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -118935,7 +119098,7 @@ index e1e814d..37f3b90 100644
  	filetrans_pattern($1, var_lock_t, $2, $3, $4)
  ')
  
-@@ -5911,6 +6606,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6625,43 @@ interface(`files_search_pids',`
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
@@ -118979,7 +119142,7 @@ index e1e814d..37f3b90 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5933,6 +6665,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6684,25 @@ interface(`files_dontaudit_search_pids',`
  
  ########################################
  ## <summary>
@@ -119005,7 +119168,7 @@ index e1e814d..37f3b90 100644
  ##	List the contents of the runtime process
  ##	ID directories (/var/run).
  ## </summary>
-@@ -6048,7 +6799,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6818,6 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -119013,7 +119176,7 @@ index e1e814d..37f3b90 100644
  	filetrans_pattern($1, var_run_t, $2, $3, $4)
  ')
  
-@@ -6157,30 +6907,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6926,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -119048,7 +119211,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6188,43 +6933,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +6952,35 @@ interface(`files_read_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -119099,7 +119262,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6232,21 +6969,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +6988,17 @@ interface(`files_delete_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -119124,7 +119287,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6254,56 +6987,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +7006,59 @@ interface(`files_delete_all_pid_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -119200,7 +119363,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6311,18 +7047,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7066,17 @@ interface(`files_list_spool',`
  ##	</summary>
  ## </param>
  #
@@ -119223,7 +119386,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6330,19 +7065,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,9 +7084,273 @@ interface(`files_manage_generic_spool_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -119232,62 +119395,40 @@ index e1e814d..37f3b90 100644
  	gen_require(`
 -		type var_t, var_spool_t;
 +		type var_run_t;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_spool_t)
--	read_files_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	exec_files_pattern($1, var_run_t, var_run_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool files.
++')
++
++########################################
++## <summary>
 +##	manage all pidfiles 
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6350,55 +7084,62 @@ interface(`files_read_generic_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	manage_files_pattern($1,pidfile,pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in the spool directory
--##	with a private type with a type transition.
++')
++
++########################################
++## <summary>
 +##	Mount filesystems on all polyinstantiation
 +##	member directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="file">
--##	<summary>
--##	Type to which the created node will be transitioned.
--##	</summary>
--## </param>
--## <param name="class">
--##	<summary>
--##	Object class(es) (single or set including {}) for which this
--##	the transition will occur.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`files_mounton_all_poly_members',`
 +	gen_require(`
@@ -119302,69 +119443,48 @@ index e1e814d..37f3b90 100644
 +##	Delete all process IDs.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`files_spool_filetrans',`
++#
 +interface(`files_delete_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
--	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++	')
++
++	allow $1 var_t:dir search_dir_perms;
 +	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 +	allow $1 var_run_t:dir rmdir;
 +	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
 +	delete_files_pattern($1, pidfile, pidfile)
 +	delete_fifo_files_pattern($1, pidfile, pidfile)
 +	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
- 
- ########################################
- ## <summary>
--##	Allow access to manage all polyinstantiated
--##	directories on the system.
++')
++
++########################################
++## <summary>
 +##	Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6406,25 +7147,283 @@ interface(`files_spool_filetrans',`
- ##	</summary>
- ## </param>
- #
--interface(`files_polyinstantiate_all',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_dirs',`
- 	gen_require(`
--		attribute polydir, polymember, polyparent;
--		type poly_t;
++	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
--	# Need to give access to /selinux/member
--	selinux_compute_member($1)
--
--	# Need sys_admin capability for mounting
--	allow $1 self:capability { chown fsetid sys_admin fowner };
--
--	# Need to give access to the directories to be polyinstantiated
--	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
--	# Need to give access to the polyinstantiated subdirectories
--	allow $1 polymember:dir search_dir_perms;
++	')
++
 +	allow $1 var_t:dir search_dir_perms;
 +	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
 +')
- 
--	# Need to give access to parent directories where original
++
 +########################################
 +## <summary>
 +##	Make the specified type a file
@@ -119539,102 +119659,10 @@ index e1e814d..37f3b90 100644
 +interface(`files_read_generic_spool',`
 +	gen_require(`
 +		type var_t, var_spool_t;
-+	')
-+
-+	list_dirs_pattern($1, var_t, var_spool_t)
-+	read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete generic
-+##	spool files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_generic_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create objects in the spool directory
-+##	with a private type with a type transition.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="file">
-+##	<summary>
-+##	Type to which the created node will be transitioned.
-+##	</summary>
-+## </param>
-+## <param name="class">
-+##	<summary>
-+##	Object class(es) (single or set including {}) for which this
-+##	the transition will occur.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_spool_filetrans',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow access to manage all polyinstantiated
-+##	directories on the system.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_polyinstantiate_all',`
-+	gen_require(`
-+		attribute polydir, polymember, polyparent;
-+		type poly_t;
-+	')
-+
-+	# Need to give access to /selinux/member
-+	selinux_compute_member($1)
-+
-+	# Need sys_admin capability for mounting
-+	allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+	# Need to give access to the directories to be polyinstantiated
-+	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+	# Need to give access to the polyinstantiated subdirectories
-+	allow $1 polymember:dir search_dir_perms;
-+
-+	# Need to give access to parent directories where original
- 	# is remounted for polyinstantiation aware programs (like gdm)
- 	allow $1 polyparent:dir { getattr mounton };
+ 	')
  
-@@ -6467,3 +7466,457 @@ interface(`files_unconfined',`
+ 	list_dirs_pattern($1, var_t, var_spool_t)
+@@ -6467,3 +7485,457 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -124769,7 +124797,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 44c198a..82eb9e5 100644
+index 44c198a..72a70fc 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
@@ -125065,7 +125093,7 @@ index 44c198a..82eb9e5 100644
  
  optional_policy(`
 -	pyzor_role(sysadm_r, sysadm_t)
-+	postfix_filetrans_named_content(sysadm_t)
++	postfix_admin(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
@@ -130989,10 +131017,10 @@ index c6fdab7..c59902a 100644
  	cron_sigchld(application_domain_type)
  ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..ffa1f8f 100644
+index 28ad538..ebe81bf 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -1,14 +1,25 @@
+@@ -1,14 +1,26 @@
 +HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 +HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
 +/root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
@@ -131005,6 +131033,7 @@ index 28ad538..ffa1f8f 100644
 +/etc/group\.lock	--	gen_context(system_u:object_r:passwd_file_t,s0)
  /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 -/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
++/etc/nshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/security/opasswd	--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/security/opasswd\.old	--	gen_context(system_u:object_r:shadow_t,s0)
@@ -131022,7 +131051,7 @@ index 28ad538..ffa1f8f 100644
  /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
  /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +27,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +28,24 @@ ifdef(`distro_suse', `
  /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ')
  
@@ -131049,7 +131078,7 @@ index 28ad538..ffa1f8f 100644
  
  /var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
  
-@@ -30,20 +52,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +53,24 @@ ifdef(`distro_gentoo', `
  
  /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
@@ -131079,7 +131108,7 @@ index 28ad538..ffa1f8f 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..b4efacf 100644
+index f416ce9..4d4ec55 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -131314,17 +131343,18 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -664,6 +720,9 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 +	files_var_filetrans($1, shadow_t, file, "shadow")
 +	files_var_filetrans($1, shadow_t, file, "shadow-")
 +	files_etc_filetrans($1, shadow_t, file, "gshadow")
++	files_etc_filetrans($1, shadow_t, file, "nshadow")
  ')
  
  #######################################
-@@ -763,7 +822,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -131376,7 +131406,7 @@ index f416ce9..b4efacf 100644
  ')
  
  #######################################
-@@ -826,7 +928,7 @@ interface(`auth_rw_lastlog',`
+@@ -826,7 +929,7 @@ interface(`auth_rw_lastlog',`
  
  ########################################
  ## <summary>
@@ -131385,7 +131415,7 @@ index f416ce9..b4efacf 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -834,12 +936,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +937,27 @@ interface(`auth_rw_lastlog',`
  ##	</summary>
  ## </param>
  #
@@ -131416,7 +131446,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -854,15 +971,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +972,15 @@ interface(`auth_domtrans_pam',`
  #
  interface(`auth_signal_pam',`
  	gen_require(`
@@ -131435,7 +131465,7 @@ index f416ce9..b4efacf 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -875,13 +992,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +993,33 @@ interface(`auth_signal_pam',`
  ##	</summary>
  ## </param>
  #
@@ -131473,7 +131503,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -959,9 +1096,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1097,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -131507,7 +131537,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1040,6 +1198,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1199,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -131518,7 +131548,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1157,6 +1319,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1320,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -131526,7 +131556,7 @@ index f416ce9..b4efacf 100644
  ')
  
  #######################################
-@@ -1526,6 +1689,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1690,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -131552,7 +131582,7 @@ index f416ce9..b4efacf 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1676,24 +1858,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1859,7 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -131578,7 +131608,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1717,11 +1882,13 @@ interface(`auth_relabel_login_records',`
+@@ -1717,11 +1883,13 @@ interface(`auth_relabel_login_records',`
  ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
@@ -131595,7 +131625,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1755,3 +1922,199 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1923,199 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -141400,10 +141430,10 @@ index 0000000..6d7c302
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..059885e
+index 0000000..3e4cae7
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,943 @@
+@@ -0,0 +1,962 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@@ -142347,6 +142377,25 @@ index 0000000..059885e
 +    systemd_exec_systemctl($1)
 +    allow $1 systemd_unit_file_type:service start;
 +')
++
++#######################################
++## <summary>
++##  Start power unit files domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`systemd_status_all_unit_files',`
++    gen_require(`
++        attribute systemd_unit_file_type;
++    ')
++
++    systemd_exec_systemctl($1)
++    allow $1 systemd_unit_file_type:service status;
++')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
 index 0000000..223e3f0
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 5fa2677..1b100a3 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -2132,7 +2132,7 @@ index 0000000..feabdf3
 +        files_getattr_all_sockets(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index fd9fa07..cca43af 100644
+index fd9fa07..dcb9d6e 100644
 --- a/apache.fc
 +++ b/apache.fc
 @@ -1,20 +1,37 @@
@@ -2233,7 +2233,12 @@ index fd9fa07..cca43af 100644
  
  /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +100,50 @@ ifdef(`distro_suse', `
+@@ -69,35 +96,54 @@ ifdef(`distro_suse', `
+ /var/cache/php-.*			gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/rt3(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/rt(3|4)(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2275,7 +2280,7 @@ index fd9fa07..cca43af 100644
  ')
  
 +/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +
  /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/cherokee\.pid		--	gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -21287,7 +21292,7 @@ index 0000000..c4c7510
 +')
 diff --git a/firewalld.te b/firewalld.te
 new file mode 100644
-index 0000000..97cb441
+index 0000000..90c8ee3
 --- /dev/null
 +++ b/firewalld.te
 @@ -0,0 +1,95 @@
@@ -21355,7 +21360,7 @@ index 0000000..97cb441
 +
 +fs_getattr_xattr_fs(firewalld_t)
 +
-+auth_read_passwd(firewalld_t)
++auth_use_nsswitch(firewalld_t)
 +
 +logging_send_syslog_msg(firewalld_t)
 +
@@ -31526,7 +31531,7 @@ index 572b5db..1e55f43 100644
 +userdom_use_inherited_user_terminals(lockdev_t)
 +
 diff --git a/logrotate.te b/logrotate.te
-index 7090dae..4aaa8fb 100644
+index 7090dae..8a2583b 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
@@ -31536,7 +31541,7 @@ index 7090dae..4aaa8fb 100644
 -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
 -# for mailx
 -dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
 +dontaudit logrotate_t self:capability sys_resource;
  
  allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -31589,7 +31594,7 @@ index 7090dae..4aaa8fb 100644
  
  # cjp: why is this needed?
  init_domtrans_script(logrotate_t)
-@@ -112,21 +115,20 @@ logging_send_audit_msgs(logrotate_t)
+@@ -112,21 +115,21 @@ logging_send_audit_msgs(logrotate_t)
  # cjp: why is this needed?
  logging_exec_all_logs(logrotate_t)
  
@@ -31598,6 +31603,7 @@ index 7090dae..4aaa8fb 100644
 +systemd_getattr_unit_files(logrotate_t)
 +systemd_start_all_unit_files(logrotate_t)
 +systemd_reload_all_services(logrotate_t)
++systemd_status_all_unit_files(logrotate_t)
 +init_stream_connect(logrotate_t)
  
 -seutil_dontaudit_read_config(logrotate_t)
@@ -31620,7 +31626,7 @@ index 7090dae..4aaa8fb 100644
  	# for savelog
  	can_exec(logrotate_t, logrotate_exec_t)
  
-@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
  ')
  
  optional_policy(`
@@ -31629,7 +31635,7 @@ index 7090dae..4aaa8fb 100644
  ')
  
  optional_policy(`
-@@ -154,6 +156,10 @@ optional_policy(`
+@@ -154,6 +157,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31640,7 +31646,7 @@ index 7090dae..4aaa8fb 100644
  	asterisk_domtrans(logrotate_t)
  ')
  
-@@ -162,10 +168,20 @@ optional_policy(`
+@@ -162,10 +169,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31661,7 +31667,7 @@ index 7090dae..4aaa8fb 100644
  	cups_domtrans(logrotate_t)
  ')
  
-@@ -178,6 +194,10 @@ optional_policy(`
+@@ -178,6 +195,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31672,7 +31678,7 @@ index 7090dae..4aaa8fb 100644
  	icecast_signal(logrotate_t)
  ')
  
-@@ -194,15 +214,19 @@ optional_policy(`
+@@ -194,15 +215,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31693,7 +31699,7 @@ index 7090dae..4aaa8fb 100644
  
  optional_policy(`
  	samba_exec_log(logrotate_t)
-@@ -217,6 +241,11 @@ optional_policy(`
+@@ -217,6 +242,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31705,7 +31711,7 @@ index 7090dae..4aaa8fb 100644
  	squid_domtrans(logrotate_t)
  ')
  
-@@ -228,3 +257,14 @@ optional_policy(`
+@@ -228,3 +258,14 @@ optional_policy(`
  optional_policy(`
  	varnishd_manage_log(logrotate_t)
  ')
@@ -32398,10 +32404,10 @@ index 0000000..bd1d48e
 +')
 diff --git a/mailscanner.te b/mailscanner.te
 new file mode 100644
-index 0000000..45f3262
+index 0000000..d2f7a62
 --- /dev/null
 +++ b/mailscanner.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
 +policy_module(mailscanner, 1.0.0)
 +
 +########################################
@@ -32435,6 +32441,7 @@ index 0000000..45f3262
 +allow mscan_t self:fifo_file rw_fifo_file_perms;
 +
 +read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
++list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
 +
 +manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
 +files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -34316,10 +34323,10 @@ index 6647a35..f3b35e1 100644
  
  userdom_dontaudit_use_unpriv_user_fds(monopd_t)
 diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..60e7237 100644
+index 3a73e74..0fa08be 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -2,8 +2,17 @@ HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0
+@@ -2,8 +2,18 @@ HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0
  HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -34331,13 +34338,14 @@ index 3a73e74..60e7237 100644
 +HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.lyx(/.*)?                   gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.ICAClient(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/zimbrauserdata(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
  
  #
  # /bin
-@@ -16,6 +25,12 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -16,6 +26,12 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
  /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  
@@ -34350,7 +34358,7 @@ index 3a73e74..60e7237 100644
  ifdef(`distro_debian',`
  /usr/lib/iceweasel/iceweasel	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  ')
-@@ -23,11 +38,20 @@ ifdef(`distro_debian',`
+@@ -23,11 +39,20 @@ ifdef(`distro_debian',`
  #
  # /lib
  #
@@ -34378,7 +34386,7 @@ index 3a73e74..60e7237 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index b397fde..9ba2af3 100644
+index b397fde..cccec7e 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -18,10 +18,11 @@
@@ -34528,7 +34536,7 @@ index b397fde..9ba2af3 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -275,28 +361,118 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -34652,10 +34660,11 @@ index b397fde..9ba2af3 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
 +')
 +
 diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..907ff48 100644
+index d4fcb75..8cf0087 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -34818,7 +34827,7 @@ index d4fcb75..907ff48 100644
  	pulseaudio_stream_connect(mozilla_t)
  	pulseaudio_manage_home_files(mozilla_t)
  ')
-@@ -297,65 +317,101 @@ optional_policy(`
+@@ -297,65 +317,102 @@ optional_policy(`
  # mozilla_plugin local policy
  #
  
@@ -34847,6 +34856,7 @@ index d4fcb75..907ff48 100644
 +manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +mozilla_filetrans_home_content(mozilla_plugin_t)
  
  manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -34935,7 +34945,7 @@ index d4fcb75..907ff48 100644
  
  domain_use_interactive_fds(mozilla_plugin_t)
  domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +419,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +420,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
  files_read_config_files(mozilla_plugin_t)
  files_read_usr_files(mozilla_plugin_t)
  files_list_mnt(mozilla_plugin_t)
@@ -35017,7 +35027,7 @@ index d4fcb75..907ff48 100644
  ')
  
  optional_policy(`
-@@ -422,24 +482,39 @@ optional_policy(`
+@@ -422,24 +483,39 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(mozilla_plugin_t)
  	dbus_session_bus_client(mozilla_plugin_t)
@@ -35061,7 +35071,7 @@ index d4fcb75..907ff48 100644
  ')
  
  optional_policy(`
-@@ -447,10 +522,115 @@ optional_policy(`
+@@ -447,10 +523,116 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -35121,6 +35131,7 @@ index d4fcb75..907ff48 100644
 +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +
 +corecmd_exec_bin(mozilla_plugin_config_t)
 +corecmd_exec_shell(mozilla_plugin_config_t)
@@ -36985,7 +36996,7 @@ index c358d8f..1cc176c 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index f17583b..3a691c7 100644
+index f17583b..addfbf2 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -37124,11 +37135,11 @@ index f17583b..3a691c7 100644
  dev_read_sysfs(disk_munin_plugin_t)
  dev_read_urand(disk_munin_plugin_t)
 +dev_read_all_blk_files(munin_disk_plugin_t)
-+
-+fs_getattr_all_fs(disk_munin_plugin_t)
-+fs_getattr_all_dirs(disk_munin_plugin_t)
  
 -storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
++fs_getattr_all_fs(disk_munin_plugin_t)
++fs_getattr_all_dirs(disk_munin_plugin_t)
++
 +storage_raw_read_fixed_disk(disk_munin_plugin_t)
  
  sysnet_read_config(disk_munin_plugin_t)
@@ -37202,7 +37213,7 @@ index f17583b..3a691c7 100644
  	cups_stream_connect(services_munin_plugin_t)
  ')
  
-@@ -279,6 +316,10 @@ optional_policy(`
+@@ -279,6 +316,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37210,10 +37221,14 @@ index f17583b..3a691c7 100644
 +')
 +
 +optional_policy(`
++	ntp_exec(services_munin_plugin_t)
++')
++
++optional_policy(`
  	postgresql_stream_connect(services_munin_plugin_t)
  ')
  
-@@ -286,6 +327,18 @@ optional_policy(`
+@@ -286,6 +331,18 @@ optional_policy(`
  	snmp_read_snmp_var_lib_files(services_munin_plugin_t)
  ')
  
@@ -37232,7 +37247,7 @@ index f17583b..3a691c7 100644
  ##################################
  #
  # local policy for system plugins
-@@ -295,12 +348,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +352,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
  
  rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -37248,7 +37263,7 @@ index f17583b..3a691c7 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +364,47 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +368,47 @@ init_read_utmp(system_munin_plugin_t)
  sysnet_exec_ifconfig(system_munin_plugin_t)
  
  term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -41151,10 +41166,36 @@ index e79dccc..2a3c6af 100644
  /var/log/ntp.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
  /var/log/ntpstats(/.*)?			gen_context(system_u:object_r:ntpd_log_t,s0)
 diff --git a/ntp.if b/ntp.if
-index e80f8c0..0044e73 100644
+index e80f8c0..d60b451 100644
 --- a/ntp.if
 +++ b/ntp.if
-@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
+@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
+ 
+ ########################################
+ ## <summary>
++##     Execute ntp server in the caller domain.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed to transition.
++##     </summary>
++## </param>
++#
++interface(`ntp_exec',`
++       gen_require(`
++               type ntpd_exec_t;
++       ')
++
++       corecmd_search_bin($1)
++       can_exec($1, ntpd_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Execute ntp in the ntp domain, and
+ ##	allow the specified role the ntp domain.
+ ## </summary>
+@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
  ')
  
@@ -41203,7 +41244,7 @@ index e80f8c0..0044e73 100644
  ########################################
  ## <summary>
  ##	Read and write ntpd shared memory.
-@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +183,25 @@ interface(`ntp_rw_shm',`
  
  ########################################
  ## <summary>
@@ -41229,7 +41270,7 @@ index e80f8c0..0044e73 100644
  ##	All of the rules required to administrate
  ##	an ntp environment
  ## </summary>
-@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
+@@ -140,12 +220,15 @@ interface(`ntp_rw_shm',`
  interface(`ntp_admin',`
  	gen_require(`
  		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -41248,7 +41289,7 @@ index e80f8c0..0044e73 100644
  
  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -162,4 +226,8 @@ interface(`ntp_admin',`
+@@ -162,4 +245,8 @@ interface(`ntp_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, ntpd_var_run_t)
@@ -43846,10 +43887,10 @@ index 0000000..14f29e4
 +')
 diff --git a/openvswitch.te b/openvswitch.te
 new file mode 100644
-index 0000000..31370ed
+index 0000000..f6e0f04
 --- /dev/null
 +++ b/openvswitch.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,84 @@
 +policy_module(openvswitch, 1.0.0)
 +
 +########################################
@@ -43886,6 +43927,7 @@ index 0000000..31370ed
 +allow openvswitch_t self:fifo_file rw_fifo_file_perms;
 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow openvswitch_t self:netlink_socket create_socket_perms;
++allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
 +
 +can_exec(openvswitch_t, openvswitch_exec_t)
 +
@@ -48097,7 +48139,7 @@ index 1ddfa16..c0e0959 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/postfix.if b/postfix.if
-index 46bee12..8ef270f 100644
+index 46bee12..20a3ccd 100644
 --- a/postfix.if
 +++ b/postfix.if
 @@ -28,75 +28,23 @@ interface(`postfix_stub',`
@@ -48353,7 +48395,69 @@ index 46bee12..8ef270f 100644
  ##	Execute the master postdrop in the
  ##	postfix_postdrop domain.
  ## </summary>
-@@ -462,7 +492,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -452,6 +482,61 @@ interface(`postfix_domtrans_postqueue',`
+ 	domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+ ')
+ 
++########################################
++## <summary>
++##	Execute the master postqueue in the
++##	postfix_postdrop domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  The role to be allowed the iptables domain.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++
++interface(`postfix_run_postqueue',`
++	gen_require(`
++		type postfix_postqueue_t;
++	')
++
++	postfix_domtrans_postqueue($1)
++	role $2 types postfix_postqueue_t;
++	allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
++')
++
++########################################
++## <summary>
++##	Execute postfix_postgqueue in the postfix_postgqueue domain, and
++##	allow the specified role the postfix_postgqueue domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfix_run_postgqueue',`
++	gen_require(`
++		type postfix_postgqueue_t;
++	')
++
++	postfix_domtrans_postgqueue($1)
++	role $2 types postfix_postgqueue_t;
++')
++
++
+ #######################################
+ ## <summary>
+ ##	Execute the master postqueue in the caller domain.
+@@ -462,7 +547,7 @@ interface(`postfix_domtrans_postqueue',`
  ##	</summary>
  ## </param>
  #
@@ -48362,7 +48466,7 @@ index 46bee12..8ef270f 100644
  	gen_require(`
  		type postfix_postqueue_exec_t;
  	')
-@@ -529,6 +559,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +614,25 @@ interface(`postfix_domtrans_smtp',`
  
  ########################################
  ## <summary>
@@ -48388,7 +48492,7 @@ index 46bee12..8ef270f 100644
  ##	Search postfix mail spool directories.
  ## </summary>
  ## <param name="domain">
-@@ -539,10 +588,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +643,10 @@ interface(`postfix_domtrans_smtp',`
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -48401,7 +48505,7 @@ index 46bee12..8ef270f 100644
  	files_search_spool($1)
  ')
  
-@@ -558,10 +607,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +662,10 @@ interface(`postfix_search_spool',`
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -48414,7 +48518,7 @@ index 46bee12..8ef270f 100644
  	files_search_spool($1)
  ')
  
-@@ -577,11 +626,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +681,11 @@ interface(`postfix_list_spool',`
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -48428,7 +48532,7 @@ index 46bee12..8ef270f 100644
  ')
  
  ########################################
-@@ -596,11 +645,31 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +700,31 @@ interface(`postfix_read_spool_files',`
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -48462,7 +48566,7 @@ index 46bee12..8ef270f 100644
  ')
  
  ########################################
-@@ -621,3 +690,155 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +745,157 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -48528,6 +48632,7 @@ index 46bee12..8ef270f 100644
 +
 +	postfix_run_map($1, $2)
 +	postfix_run_postdrop($1, $2)
++	postfix_run_postqueue($1, $2)
 +
 +	postfix_initrc_domtrans($1)
 +	domain_system_change_exemption($1)
@@ -48581,6 +48686,7 @@ index 46bee12..8ef270f 100644
 +	allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
 +')
 +
++
 +########################################
 +## <summary>
 +##	Execute postfix exec in the users domain
@@ -48619,7 +48725,7 @@ index 46bee12..8ef270f 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/postfix.te b/postfix.te
-index a1e0f60..85b12af 100644
+index a1e0f60..ae56a3e 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -48780,7 +48886,7 @@ index a1e0f60..85b12af 100644
  
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
-@@ -195,7 +216,7 @@ optional_policy(`
+@@ -195,15 +216,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48789,7 +48895,15 @@ index a1e0f60..85b12af 100644
  	mailman_manage_data_files(postfix_master_t)
  ')
  
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+ optional_policy(`
+-	mysql_stream_connect(postfix_master_t)
+-')
+-
+-optional_policy(`
+ 	postgrey_search_spool(postfix_master_t)
+ ')
+ 
+@@ -220,13 +237,17 @@ allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -48808,7 +48922,7 @@ index a1e0f60..85b12af 100644
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,22 +262,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -237,22 +258,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
  #
  
  allow postfix_cleanup_t self:process setrlimit;
@@ -48840,7 +48954,7 @@ index a1e0f60..85b12af 100644
  mta_read_aliases(postfix_cleanup_t)
  
  optional_policy(`
-@@ -264,7 +298,6 @@ optional_policy(`
+@@ -264,7 +294,6 @@ optional_policy(`
  # Postfix local local policy
  #
  
@@ -48848,7 +48962,7 @@ index a1e0f60..85b12af 100644
  allow postfix_local_t self:process { setsched setrlimit };
  
  # connect to master process
-@@ -272,28 +305,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -272,28 +301,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
  
  # for .forward - maybe we need a new type for it?
  rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -48905,7 +49019,7 @@ index a1e0f60..85b12af 100644
  ')
  
  optional_policy(`
-@@ -304,9 +360,26 @@ optional_policy(`
+@@ -304,9 +356,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48932,7 +49046,7 @@ index a1e0f60..85b12af 100644
  ########################################
  #
  # Postfix map local policy
-@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +398,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -48940,7 +49054,7 @@ index a1e0f60..85b12af 100644
  corenet_all_recvfrom_netlabel(postfix_map_t)
  corenet_tcp_sendrecv_generic_if(postfix_map_t)
  corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +416,6 @@ corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
  files_read_usr_files(postfix_map_t)
@@ -48948,7 +49062,7 @@ index a1e0f60..85b12af 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
+@@ -356,8 +423,6 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -48957,7 +49071,7 @@ index a1e0f60..85b12af 100644
  optional_policy(`
  	locallogin_dontaudit_use_fds(postfix_map_t)
  ')
-@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +444,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
@@ -48983,7 +49097,7 @@ index a1e0f60..85b12af 100644
  allow postfix_pipe_t self:process setrlimit;
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +472,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -48992,7 +49106,7 @@ index a1e0f60..85b12af 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +497,7 @@ optional_policy(`
+@@ -420,6 +493,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -49000,7 +49114,7 @@ index a1e0f60..85b12af 100644
  ')
  
  optional_policy(`
-@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +510,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -49018,7 +49132,7 @@ index a1e0f60..85b12af 100644
  corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
  corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
  
-@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +567,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
  domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
@@ -49029,7 +49143,7 @@ index a1e0f60..85b12af 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +599,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -49042,7 +49156,7 @@ index a1e0f60..85b12af 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +623,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -49053,7 +49167,7 @@ index a1e0f60..85b12af 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +644,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -49066,7 +49180,7 @@ index a1e0f60..85b12af 100644
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
-@@ -565,6 +661,14 @@ optional_policy(`
+@@ -565,6 +657,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49081,7 +49195,7 @@ index a1e0f60..85b12af 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +681,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
  corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
  
  # for prng_exch
@@ -49108,7 +49222,7 @@ index a1e0f60..85b12af 100644
  ')
  
  optional_policy(`
-@@ -599,6 +711,11 @@ optional_policy(`
+@@ -599,6 +707,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49120,7 +49234,7 @@ index a1e0f60..85b12af 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,7 +728,6 @@ optional_policy(`
+@@ -611,7 +724,6 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -49128,7 +49242,7 @@ index a1e0f60..85b12af 100644
  allow postfix_virtual_t self:process { setsched setrlimit };
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +734,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
  corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
  
@@ -49136,7 +49250,7 @@ index a1e0f60..85b12af 100644
  files_read_usr_files(postfix_virtual_t)
  
  mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +741,80 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -49206,6 +49320,10 @@ index a1e0f60..85b12af 100644
 +userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
 +
 +optional_policy(`
++	mysql_stream_connect(postfix_domain)
++')
++
++optional_policy(`
 +	spamd_stream_connect(postfix_domain)
 +	spamassassin_domtrans_client(postfix_domain)
 +')
@@ -56117,7 +56235,7 @@ index 137605a..fd40b90 100644
 +	')
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..14193ca 100644
+index 783f678..62c40bb 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -56130,7 +56248,7 @@ index 783f678..14193ca 100644
  allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
  allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -43,17 +46,36 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,40 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  
  manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -56139,24 +56257,28 @@ index 783f678..14193ca 100644
 +kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
++corenet_tcp_connect_http_port(rhsmcertd_t)
++
 +files_list_tmp(rhsmcertd_t)
 +
  corecmd_exec_bin(rhsmcertd_t)
++corecmd_exec_shell(rhsmcertd_t)
  
 +dev_read_rand(rhsmcertd_t)
  dev_read_urand(rhsmcertd_t)
 +dev_read_sysfs(rhsmcertd_t)
++dev_read_raw_memory(rhsmcertd_t)
  
  files_read_etc_files(rhsmcertd_t)
  files_read_usr_files(rhsmcertd_t)
 +files_manage_generic_locks(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
-+
-+logging_send_syslog_msg(rhsmcertd_t)
  
 -miscfiles_read_localization(rhsmcertd_t)
 -miscfiles_read_generic_certs(rhsmcertd_t)
++logging_send_syslog_msg(rhsmcertd_t)
++
 +miscfiles_read_certs(rhsmcertd_t)
  
  sysnet_dns_name_resolve(rhsmcertd_t)
@@ -67817,7 +67939,7 @@ index 67b5592..ccddff5 100644
  corenet_tcp_sendrecv_generic_if(timidity_t)
  corenet_udp_sendrecv_generic_if(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..4ad0788 100644
+index 0521d5a..b08a00a 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
 @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
@@ -67828,7 +67950,7 @@ index 0521d5a..4ad0788 100644
  application_domain(tmpreaper_t, tmpreaper_exec_t)
  role system_r types tmpreaper_t;
  
-@@ -18,33 +19,47 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,48 @@ role system_r types tmpreaper_t;
  allow tmpreaper_t self:process { fork sigchld };
  allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
  
@@ -67845,6 +67967,7 @@ index 0521d5a..4ad0788 100644
 +files_delete_all_non_security_files(tmpreaper_t)
  # why does it need setattr?
  files_setattr_all_tmp_dirs(tmpreaper_t)
++files_setattr_isid_type_dirs(tmpreaper_t)
 +files_setattr_usr_dirs(tmpreaper_t)
  files_getattr_all_dirs(tmpreaper_t)
  files_getattr_all_files(tmpreaper_t)
@@ -67882,7 +68005,7 @@ index 0521d5a..4ad0788 100644
  ')
  
  optional_policy(`
-@@ -52,7 +67,9 @@ optional_policy(`
+@@ -52,7 +68,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67892,7 +68015,7 @@ index 0521d5a..4ad0788 100644
  	apache_delete_cache_files(tmpreaper_t)
  	apache_setattr_cache_dirs(tmpreaper_t)
  ')
-@@ -66,9 +83,17 @@ optional_policy(`
+@@ -66,9 +84,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71006,7 +71129,7 @@ index 6f0736b..408a20a 100644
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 947bbc6..609bc32 100644
+index 947bbc6..12c15cb 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71363,7 +71486,7 @@ index 947bbc6..609bc32 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +298,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +298,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71376,6 +71499,7 @@ index 947bbc6..609bc32 100644
 -manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
 -logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
++allow virtd_t virt_image_type:dir setattr;
 +allow virtd_t virt_image_type:file relabel_file_perms;
 +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 +allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
@@ -71398,7 +71522,7 @@ index 947bbc6..609bc32 100644
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
  manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
  manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +330,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +331,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -71422,7 +71546,7 @@ index 947bbc6..609bc32 100644
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +358,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +359,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
@@ -71456,7 +71580,7 @@ index 947bbc6..609bc32 100644
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +390,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +391,18 @@ fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -71475,7 +71599,7 @@ index 947bbc6..609bc32 100644
  
  mcs_process_set_categories(virtd_t)
  
-@@ -284,7 +416,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +417,8 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -71485,7 +71609,7 @@ index 947bbc6..609bc32 100644
  miscfiles_read_generic_certs(virtd_t)
  miscfiles_read_hwdata(virtd_t)
  
-@@ -293,17 +426,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +427,36 @@ modutils_read_module_config(virtd_t)
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
@@ -71522,7 +71646,7 @@ index 947bbc6..609bc32 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +474,10 @@ optional_policy(`
+@@ -322,6 +475,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71533,7 +71657,7 @@ index 947bbc6..609bc32 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -335,19 +491,34 @@ optional_policy(`
+@@ -335,19 +492,34 @@ optional_policy(`
  	optional_policy(`
  		hal_dbus_chat(virtd_t)
  	')
@@ -71569,7 +71693,7 @@ index 947bbc6..609bc32 100644
  
  	# Manages /etc/sysconfig/system-config-firewall
  	iptables_manage_config(virtd_t)
-@@ -362,6 +533,12 @@ optional_policy(`
+@@ -362,6 +534,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71582,7 +71706,7 @@ index 947bbc6..609bc32 100644
  	policykit_dbus_chat(virtd_t)
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +546,11 @@ optional_policy(`
+@@ -369,11 +547,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71599,7 +71723,7 @@ index 947bbc6..609bc32 100644
  ')
  
  optional_policy(`
-@@ -384,6 +561,7 @@ optional_policy(`
+@@ -384,6 +562,7 @@ optional_policy(`
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
@@ -71607,7 +71731,7 @@ index 947bbc6..609bc32 100644
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
  	xen_read_image_files(virtd_t)
-@@ -402,35 +580,85 @@ optional_policy(`
+@@ -402,35 +581,85 @@ optional_policy(`
  #
  # virtual domains common policy
  #
@@ -71702,7 +71826,7 @@ index 947bbc6..609bc32 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -438,34 +666,628 @@ dev_write_sound(virt_domain)
+@@ -438,34 +667,628 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 654ac5a..3ca075f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 68%{?dist}
+Release: 69%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,24 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Jan 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-69
+- Add systemd_status_all_unit_files() interface
+- Add support for nshadow
+- Allow sysadm_t to administrate the postfix domains
+- Add interface to setattr on isid directories for use by tmpreaper
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Add systemd_status_all_unit_files() interface
+- Add support for nshadow
+- Allow sysadm_t to administrate the postfix domains
+- Add interface to setattr on isid directories for use by tmpreaper
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Allow sshd_t sys_admin for use with afs logins
+- Add labeling for /var/named/chroot/etc/localtim
+
 * Thu Dec 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-68
 - Allow setroubleshoot_fixit to execute rpm
 - zoneminder needs to connect to httpd ports where remote cameras are listening