diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index ac16f1c..47c593a 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..c73c1d2 100644
+index 28802c5..4b3db76 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -62032,7 +62032,7 @@ index 28802c5..c73c1d2 100644
}
#
-@@ -443,10 +448,11 @@ class capability
+@@ -443,10 +448,12 @@ class capability
class capability2
{
mac_override # unused by SELinux
@@ -62040,12 +62040,13 @@ index 28802c5..c73c1d2 100644
+ mac_admin
syslog
wake_alarm
++ epolwakeup
block_suspend
+ secure_firmware
}
#
-@@ -862,3 +868,20 @@ inherits database
+@@ -862,3 +869,20 @@ inherits database
implement
execute
}
@@ -81790,7 +81791,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..3f3a57f 100644
+index d26fe81..efdc556 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -82312,7 +82313,33 @@ index d26fe81..3f3a57f 100644
')
########################################
-@@ -1117,6 +1340,24 @@ interface(`init_read_all_script_files',`
+@@ -1098,6 +1321,25 @@ interface(`init_getattr_all_script_files',`
+
+ ########################################
+ ##
++## Allow the specified domain to modify the systemd configuration of
++## all init scripts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_config_all_script_files',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ allow $1 init_script_file_type:service all_service_perms;
++')
++
++########################################
++##
+ ## Read all init script files.
+ ##
+ ##
+@@ -1117,6 +1359,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -82337,7 +82364,7 @@ index d26fe81..3f3a57f 100644
## Dontaudit read all init script files.
##
##
-@@ -1168,12 +1409,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1428,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -82351,7 +82378,7 @@ index d26fe81..3f3a57f 100644
')
########################################
-@@ -1413,6 +1649,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1668,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -82379,7 +82406,7 @@ index d26fe81..3f3a57f 100644
## init scripts over dbus.
##
##
-@@ -1499,6 +1756,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1775,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -82405,7 +82432,7 @@ index d26fe81..3f3a57f 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1557,6 +1833,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1852,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -82430,7 +82457,7 @@ index d26fe81..3f3a57f 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1629,6 +1923,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1942,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -82474,7 +82501,7 @@ index d26fe81..3f3a57f 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1717,7 +2048,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2067,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -82483,10 +82510,11 @@ index d26fe81..3f3a57f 100644
')
########################################
-@@ -1758,6 +2089,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,7 +2108,129 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
+-########################################
+######################################
+##
+## Allow search directory in the /run/systemd directory.
@@ -82609,10 +82637,11 @@ index d26fe81..3f3a57f 100644
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
- ########################################
++########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2245,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ##
+@@ -1792,3 +2264,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -89853,10 +89882,10 @@ index 0000000..7da5bf6
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..6d1582c
+index 0000000..58d1ab6
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,735 @@
+@@ -0,0 +1,736 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -90463,8 +90492,8 @@ index 0000000..6d1582c
+
+########################################
+##
-+## Allow the specified domain to connect to
-+## systemd_logger with a unix socket.
++## Allow the specified domain to modify the systemd configuration of
++## all systemd services
+##
+##
+##
@@ -90478,6 +90507,7 @@ index 0000000..6d1582c
+ ')
+
+ allow $1 systemd_unit_file_type:service all_service_perms;
++ init_config_all_script_files($1)
+')
+
+
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 49dc44f..86deda8 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -60403,10 +60403,10 @@ index 65baaac..821bcea 100644
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/userhelper.te b/userhelper.te
-index f25ed61..390de9e 100644
+index f25ed61..a137f29 100644
--- a/userhelper.te
+++ b/userhelper.te
-@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0)
+@@ -6,9 +6,82 @@ policy_module(userhelper, 1.7.0)
#
attribute userhelper_type;
@@ -60427,7 +60427,8 @@ index f25ed61..390de9e 100644
+#
+
+allow consolehelper_domain self:shm create_shm_perms;
-+allow consolehelper_domain self:capability { setgid setuid };
++allow consolehelper_domain self:capability { setgid setuid dac_override };
++allow consolehelper_domain self:process signal;
+
+allow consolehelper_domain userhelper_conf_t:file audit_access;
+dontaudit consolehelper_domain userhelper_conf_t:file write;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d0dd8ce..0a2442e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 9 2012 Miroslav Grepl 3.11.1-5
+- Put placeholder back in place for proper numbering of capabilities
+- Systemd also configures init scripts
+
* Thu Aug 9 2012 Miroslav Grepl 3.11.1-4
- Fix ecryptfs interfaces
- Bootloader seems to be trolling around /dev/shm and /dev