diff --git a/policy-F15.patch b/policy-F15.patch
index b75b1a0..84700d3 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1185,6 +1185,19 @@ index 0000000..104253d
 +	modutils_read_module_config(ncftool_t)
 +	modutils_domtrans_insmod(ncftool_t)
 +')
+diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
+index 407078f..a818e14 100644
+--- a/policy/modules/admin/netutils.fc
++++ b/policy/modules/admin/netutils.fc
+@@ -8,7 +8,7 @@
+ /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+ 
+-/usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/fping.* 	--	gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/send_arp	--	gen_context(system_u:object_r:ping_exec_t,s0)
 diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
 index c6ca761..46e0767 100644
 --- a/policy/modules/admin/netutils.if
@@ -2375,7 +2388,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..bae65ee 100644
+index 975af1a..fd05003 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -2421,6 +2434,15 @@ index 975af1a..bae65ee 100644
  	init_rw_utmp($1_sudo_t)
  
  	logging_send_audit_msgs($1_sudo_t)
+@@ -126,7 +135,7 @@ template(`sudo_role_template',`
+ 
+ 	miscfiles_read_localization($1_sudo_t)
+ 
+-	seutil_search_default_contexts($1_sudo_t)
++	seutil_read_default_contexts($1_sudo_t)
+ 	seutil_libselinux_linked($1_sudo_t)
+ 
+ 	userdom_spec_domtrans_all_users($1_sudo_t)
 @@ -135,13 +144,18 @@ template(`sudo_role_template',`
  	userdom_manage_user_tmp_files($1_sudo_t)
  	userdom_manage_user_tmp_symlinks($1_sudo_t)
@@ -4423,7 +4445,7 @@ index f5afe78..b1b6bf6 100644
 +')
 +
 diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..72e5079 100644
+index 2505654..95f89db 100644
 --- a/policy/modules/apps/gnome.te
 +++ b/policy/modules/apps/gnome.te
 @@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -4498,7 +4520,7 @@ index 2505654..72e5079 100644
  ##############################
  #
  # Local Policy
-@@ -75,3 +110,153 @@ optional_policy(`
+@@ -75,3 +110,165 @@ optional_policy(`
  	xserver_use_xdm_fds(gconfd_t)
  	xserver_rw_xdm_pipes(gconfd_t)
  ')
@@ -4652,6 +4674,18 @@ index 2505654..72e5079 100644
 +')
 +
 +userdom_use_user_terminals(gnome_domain)
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_getattr_nfs(gkeyringd_domain)
++        fs_manage_nfs_dirs(gkeyringd_domain)
++        fs_manage_nfs_files(gkeyringd_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++        fs_manage_cifs_dirs(gkeyringd_domain)
++        fs_manage_cifs_files(gkeyringd_domain)
++')
++
 diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
 index e9853d4..717d163 100644
 --- a/policy/modules/apps/gpg.fc
@@ -8039,10 +8073,10 @@ index 0000000..0fedd57
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..b347556
+index 0000000..3928015
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,479 @@
+@@ -0,0 +1,481 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -8237,6 +8271,7 @@ index 0000000..b347556
 +manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
 +manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
 +manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
 +
 +domain_dontaudit_read_all_domains_state(sandbox_x_domain)
 +
@@ -8478,6 +8513,7 @@ index 0000000..b347556
 +')
 +
 +optional_policy(`
++	nsplugin_manage_rw(sandbox_web_type)
 +	nsplugin_read_rw_files(sandbox_web_type)
 +	nsplugin_rw_exec(sandbox_web_type)
 +')
@@ -8949,10 +8985,10 @@ index 0000000..6878d68
 +
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
 new file mode 100644
-index 0000000..1ee3b2a
+index 0000000..298b1e5
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,336 @@
+@@ -0,0 +1,339 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -9021,6 +9057,7 @@ index 0000000..1ee3b2a
 +corenet_tcp_connect_msnp_port(telepathy_msn_t)
 +corenet_tcp_connect_sametime_port(telepathy_msn_t)
 +corenet_tcp_connect_ssdp_port(telepathy_msn_t)
++corenet_tcp_connect_sip_port(telepathy_msn_t)
 +
 +corecmd_exec_bin(telepathy_msn_t)
 +corecmd_exec_shell(telepathy_msn_t)
@@ -9041,6 +9078,8 @@ index 0000000..1ee3b2a
 +
 +sysnet_read_config(telepathy_msn_t)
 +
++userdom_read_all_users_state(telepathy_msn_t)
++
 +optional_policy(`
 +        dbus_system_bus_client(telepathy_msn_t)
 +	optional_policy(`
@@ -9679,7 +9718,7 @@ index 82842a0..4111a1d 100644
  		dbus_system_bus_client($1_wm_t)
  		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..4593351 100644
+index 34c9d01..9856a93 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -9721,7 +9760,15 @@ index 34c9d01..4593351 100644
  #
  # /usr
  #
-@@ -232,6 +234,9 @@ ifdef(`distro_gentoo',`
+@@ -198,6 +200,7 @@ ifdef(`distro_gentoo',`
+ /usr/lib/wicd/monitor\.py 	-- 	gen_context(system_u:object_r:bin_t, s0)
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/chromium-browser/chrome   --  gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+@@ -232,6 +235,9 @@ ifdef(`distro_gentoo',`
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -9731,7 +9778,7 @@ index 34c9d01..4593351 100644
  /usr/lib(64)?/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -244,9 +249,13 @@ ifdef(`distro_gentoo',`
+@@ -244,9 +250,13 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -9745,7 +9792,7 @@ index 34c9d01..4593351 100644
  /usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -283,6 +292,7 @@ ifdef(`distro_gentoo',`
+@@ -283,6 +293,7 @@ ifdef(`distro_gentoo',`
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
@@ -9753,7 +9800,7 @@ index 34c9d01..4593351 100644
  /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
-@@ -307,6 +317,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +318,7 @@ ifdef(`distro_redhat', `
  /usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib64/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -9761,7 +9808,7 @@ index 34c9d01..4593351 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +327,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +328,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -10988,7 +11035,7 @@ index 16108f6..7307872 100644
 +
 +/usr/lib/debug(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..aaf48dc 100644
+index 958ca84..0d32093 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11701,7 +11748,7 @@ index 958ca84..aaf48dc 100644
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5103,11 +5627,32 @@ interface(`files_dontaudit_search_locks',`
+@@ -5103,11 +5627,50 @@ interface(`files_dontaudit_search_locks',`
  		type var_lock_t;
  	')
  
@@ -11731,10 +11778,28 @@ index 958ca84..aaf48dc 100644
 +
 +########################################
 +## <summary>
++##	Set the attributes of the /var/lock directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_lock_dirs',`
++	gen_require(`
++		type usr_t;
++	')
++
++	allow $1 var_lock_t:dir setattr;
++')
++
++########################################
++## <summary>
  ##	Add and remove entries in the /var/lock
  ##	directories.
  ## </summary>
-@@ -5122,6 +5667,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5122,6 +5685,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -11742,7 +11807,7 @@ index 958ca84..aaf48dc 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5140,7 +5686,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5140,7 +5704,7 @@ interface(`files_getattr_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11751,7 +11816,7 @@ index 958ca84..aaf48dc 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5156,12 +5702,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5720,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -11768,7 +11833,7 @@ index 958ca84..aaf48dc 100644
  ')
  
  ########################################
-@@ -5180,7 +5726,7 @@ interface(`files_manage_generic_locks',`
+@@ -5180,7 +5744,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11777,7 +11842,7 @@ index 958ca84..aaf48dc 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5207,6 +5753,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5771,27 @@ interface(`files_delete_all_locks',`
  
  ########################################
  ## <summary>
@@ -11805,7 +11870,7 @@ index 958ca84..aaf48dc 100644
  ##	Read all lock files.
  ## </summary>
  ## <param name="domain">
-@@ -5221,7 +5788,7 @@ interface(`files_read_all_locks',`
+@@ -5221,7 +5806,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11814,7 +11879,7 @@ index 958ca84..aaf48dc 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5243,7 +5810,7 @@ interface(`files_manage_all_locks',`
+@@ -5243,7 +5828,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11823,7 +11888,7 @@ index 958ca84..aaf48dc 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5275,7 +5842,7 @@ interface(`files_lock_filetrans',`
+@@ -5275,7 +5860,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -11832,7 +11897,7 @@ index 958ca84..aaf48dc 100644
  	filetrans_pattern($1, var_lock_t, $2, $3)
  ')
  
-@@ -5332,9 +5899,47 @@ interface(`files_search_pids',`
+@@ -5332,9 +5917,47 @@ interface(`files_search_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11880,7 +11945,7 @@ index 958ca84..aaf48dc 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5542,6 +6147,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6165,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -11943,7 +12008,7 @@ index 958ca84..aaf48dc 100644
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -5559,6 +6220,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6238,44 @@ interface(`files_read_all_pids',`
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -11988,7 +12053,7 @@ index 958ca84..aaf48dc 100644
  ')
  
  ########################################
-@@ -5844,3 +6543,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6561,284 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -13913,10 +13978,10 @@ index be4de58..cce681a 100644
  ########################################
  #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..7ccb554 100644
+index 2be17d2..db5a937 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -13945,6 +14010,9 @@ index 2be17d2..7ccb554 100644
 +seutil_read_module_store(staff_t)
 +seutil_run_newrole(staff_t, staff_r)
 +
++storage_read_scsi_generic(staff_t)
++storage_write_scsi_generic(staff_t)
++
 +term_use_unallocated_ttys(staff_usertype)
 +
 +auth_domtrans_pam_console(staff_t)
@@ -13965,7 +14033,7 @@ index 2be17d2..7ccb554 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,25 +63,139 @@ optional_policy(`
+@@ -27,25 +66,139 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14107,7 +14175,7 @@ index 2be17d2..7ccb554 100644
  
  optional_policy(`
  	vlock_run(staff_t, staff_r)
-@@ -89,10 +239,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -14118,7 +14186,7 @@ index 2be17d2..7ccb554 100644
  		gpg_role(staff_r, staff_t)
  	')
  
-@@ -137,10 +283,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -14129,7 +14197,7 @@ index 2be17d2..7ccb554 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -172,3 +314,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -15184,7 +15252,7 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..805d0ea
+index 0000000..c2818a1
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
 @@ -0,0 +1,503 @@
@@ -15605,9 +15673,9 @@ index 0000000..805d0ea
 +	sysnet_role_transition_dhcpc(unconfined_r)
 +')
 +
-+optional_policy(`
-+	telepathy_dbus_session_role(unconfined_r, unconfined_t)
-+')
++#optional_policy(`
++#	telepathy_dbus_session_role(unconfined_r, unconfined_t)
++#')
 +
 +optional_policy(`
 +	vbetool_run(unconfined_t, unconfined_r)
@@ -15692,15 +15760,18 @@ index 0000000..805d0ea
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 +
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..0e1c254 100644
+index e5bfdd4..dc6b88f 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,72 @@ role user_r;
+@@ -12,15 +12,75 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
 +fs_exec_noxattr(user_t)
 +
++storage_read_scsi_generic(user_t)
++storage_write_scsi_generic(user_t)
++
 +tunable_policy(`allow_execmod',`
 +	userdom_execmod_user_home_files(user_usertype)
 +')
@@ -15768,7 +15839,7 @@ index e5bfdd4..0e1c254 100644
  	vlock_run(user_t, user_r)
  ')
  
-@@ -62,10 +119,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +122,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -15779,7 +15850,7 @@ index e5bfdd4..0e1c254 100644
  		gpg_role(user_r, user_t)
  	')
  
-@@ -118,11 +171,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +174,7 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -15792,7 +15863,7 @@ index e5bfdd4..0e1c254 100644
  	')
  
  	optional_policy(`
-@@ -157,3 +206,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +209,4 @@ ifndef(`distro_redhat',`
  		wireshark_role(user_r, user_t)
  	')
  ')
@@ -16602,6 +16673,19 @@ index 0000000..dda9c93
 +	sysnet_domtrans_ifconfig(aiccu_t)
 +	sysnet_dns_name_resolve(aiccu_t)
 +')
+diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc
+index 7798464..ff76db7 100644
+--- a/policy/modules/services/aide.fc
++++ b/policy/modules/services/aide.fc
+@@ -1,6 +1,6 @@
+-/usr/sbin/aide		--	gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
++/usr/sbin/aide		--	gen_context(system_u:object_r:aide_exec_t,s0)
+ 
+-/var/lib/aide(/.*)		gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
++/var/lib/aide(/.*)?		gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+ 
+ /var/log/aide(/.*)?		gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+ /var/log/aide\.log	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
 diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
 index 838d25b..0b0db39 100644
 --- a/policy/modules/services/aide.if
@@ -16614,6 +16698,21 @@ index 838d25b..0b0db39 100644
  #
  interface(`aide_run',`
  	gen_require(`
+diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
+index 2509dd2..88b8d9e 100644
+--- a/policy/modules/services/aide.te
++++ b/policy/modules/services/aide.te
+@@ -32,6 +32,10 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+ logging_log_filetrans(aide_t, aide_log_t, file)
+ 
+ files_read_all_files(aide_t)
++files_read_boot_symlinks(aide_t)
++
++mls_file_read_to_clearance(aide_t)
++mls_file_write_to_clearance(aide_t)
+ 
+ logging_send_audit_msgs(aide_t)
+ # AIDE can be configured to log to syslog
 diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
 index 0370dba..af5d229 100644
 --- a/policy/modules/services/aisexec.if
@@ -16994,7 +17093,7 @@ index 9e39aa5..7ba3b11 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..09c61a0 100644
+index 6480167..2d45594 100644
 --- a/policy/modules/services/apache.if
 +++ b/policy/modules/services/apache.if
 @@ -13,17 +13,13 @@
@@ -17324,7 +17423,32 @@ index 6480167..09c61a0 100644
  ')
  
  ########################################
-@@ -819,6 +895,7 @@ interface(`apache_list_sys_content',`
+@@ -802,6 +878,24 @@ interface(`apache_domtrans_rotatelogs',`
+ 	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Execute httpd_rotatelogs in the caller domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`apache_exec_rotatelogs',`
++    gen_require(`
++        type httpd_rotatelogs_exec_t;
++    ')
++
++	can_exec($1, httpd_rotatelogs_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to list
+@@ -819,6 +913,7 @@ interface(`apache_list_sys_content',`
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -17332,7 +17456,7 @@ index 6480167..09c61a0 100644
  	files_search_var($1)
  ')
  
-@@ -846,6 +923,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +941,74 @@ interface(`apache_manage_sys_content',`
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
@@ -17407,7 +17531,7 @@ index 6480167..09c61a0 100644
  ########################################
  ## <summary>
  ##	Execute all web scripts in the system
-@@ -862,7 +1007,11 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1025,11 @@ interface(`apache_manage_sys_content',`
  interface(`apache_domtrans_sys_script',`
  	gen_require(`
  		attribute httpdcontent;
@@ -17420,7 +17544,7 @@ index 6480167..09c61a0 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1088,10 @@ interface(`apache_domtrans_all_scripts',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -17432,7 +17556,7 @@ index 6480167..09c61a0 100644
  #
  interface(`apache_run_all_scripts',`
  	gen_require(`
-@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1118,7 @@ interface(`apache_read_squirrelmail_data',`
  		type httpd_squirrelmail_t;
  	')
  
@@ -17441,7 +17565,7 @@ index 6480167..09c61a0 100644
  ')
  
  ########################################
-@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1259,25 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -17467,7 +17591,7 @@ index 6480167..09c61a0 100644
  ########################################
  ## <summary>
  ##	Dontaudit attempts to write
-@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1294,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -17476,7 +17600,7 @@ index 6480167..09c61a0 100644
  ')
  
  ########################################
-@@ -1170,17 +1339,14 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1357,14 @@ interface(`apache_cgi_domain',`
  #
  interface(`apache_admin',`
  	gen_require(`
@@ -17498,7 +17622,7 @@ index 6480167..09c61a0 100644
  	ps_process_pattern($1, httpd_t)
  
  	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1357,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1375,10 @@ interface(`apache_admin',`
  	apache_manage_all_content($1)
  	miscfiles_manage_public_files($1)
  
@@ -17511,7 +17635,7 @@ index 6480167..09c61a0 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1371,43 @@ interface(`apache_admin',`
+@@ -1205,14 +1389,43 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -18550,7 +18674,7 @@ index 1ea99b2..49e6c74 100644
 +	stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
  ')
 diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..f0ca259 100644
+index 1c8c27e..e450955 100644
 --- a/policy/modules/services/apm.te
 +++ b/policy/modules/services/apm.te
 @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -18587,7 +18711,7 @@ index 1c8c27e..f0ca259 100644
  init_domtrans_script(apmd_t)
  init_rw_utmp(apmd_t)
  init_telinit(apmd_t)
-@@ -127,9 +133,6 @@ logging_send_audit_msgs(apmd_t)
+@@ -127,10 +133,9 @@ logging_send_audit_msgs(apmd_t)
  miscfiles_read_localization(apmd_t)
  miscfiles_read_hwdata(apmd_t)
  
@@ -18595,9 +18719,12 @@ index 1c8c27e..f0ca259 100644
 -modutils_read_module_config(apmd_t)
 -
  seutil_dontaudit_read_config(apmd_t)
++seutil_sigchld_newrole(apmd_t)
++
  
  userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
+ userdom_dontaudit_search_user_home_dirs(apmd_t)
+@@ -142,9 +147,8 @@ ifdef(`distro_redhat',`
  
  	can_exec(apmd_t, apmd_var_run_t)
  
@@ -18608,7 +18735,7 @@ index 1c8c27e..f0ca259 100644
  	')
  
  	optional_policy(`
-@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +159,15 @@ ifdef(`distro_redhat',`
  		netutils_domtrans(apmd_t)
  	')
  
@@ -18624,7 +18751,7 @@ index 1c8c27e..f0ca259 100644
  ',`
  	# for ifconfig which is run all the time
  	kernel_dontaudit_search_sysctl(apmd_t)
-@@ -205,6 +216,11 @@ optional_policy(`
+@@ -205,12 +218,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18636,6 +18763,13 @@ index 1c8c27e..f0ca259 100644
  	pcmcia_domtrans_cardmgr(apmd_t)
  	pcmcia_domtrans_cardctl(apmd_t)
  ')
+ 
+ optional_policy(`
+-	seutil_sigchld_newrole(apmd_t)
++	shutdown_domtrans(apmd_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
 index c804110..bdefbe1 100644
 --- a/policy/modules/services/arpwatch.if
@@ -24530,10 +24664,10 @@ index 0000000..9d8f5de
 +')
 diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
 new file mode 100644
-index 0000000..24f776b
+index 0000000..1f4cf3b
 --- /dev/null
 +++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,178 @@
+@@ -0,0 +1,179 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -24614,6 +24748,7 @@ index 0000000..24f776b
 +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
 +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
 +files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
++files_setattr_lock_dirs(dirsrv_t)
 +
 +manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
 +manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
@@ -25923,7 +26058,7 @@ index bc27421..a65582e 100644
  ## <summary>
  ##	Allow domain dyntransition to sftpd_anon domain.
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..826e699 100644
+index 8a74a83..f735e6b 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
 @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -25971,7 +26106,7 @@ index 8a74a83..826e699 100644
  #
  
 -allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
-+allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
++allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
  dontaudit ftpd_t self:capability sys_tty_config;
  allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
  allow ftpd_t self:fifo_file rw_fifo_file_perms;
@@ -28006,7 +28141,7 @@ index da2127e..e141bc5 100644
 +
 +sysnet_read_config(jabberd_domain)
 diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..e5db539 100644
+index 3525d24..923e979 100644
 --- a/policy/modules/services/kerberos.fc
 +++ b/policy/modules/services/kerberos.fc
 @@ -8,7 +8,7 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
@@ -28018,6 +28153,11 @@ index 3525d24..e5db539 100644
  /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+@@ -31,3 +31,4 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
+ /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
+ 
+ /var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
 index 604f67b..65fdeb0 100644
 --- a/policy/modules/services/kerberos.if
@@ -29262,10 +29402,10 @@ index 0000000..9343f3f
 +')
 diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
 new file mode 100644
-index 0000000..82f22a4
+index 0000000..ae611b9
 --- /dev/null
 +++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,86 @@
 +policy_module(matahari,1.0.0)
 +
 +########################################
@@ -29318,6 +29458,10 @@ index 0000000..82f22a4
 +
 +domain_use_interactive_fds(matahari_netd_t)
 +
++optional_policy(`
++	dbus_system_bus_client(matahari_netd_t)
++')
++
 +########################################
 +#
 +# matahari_serviced local policy
@@ -31817,24 +31961,25 @@ index bf64a4c..8a9789c 100644
  
  corecmd_exec_bin(nagios_system_plugin_t)
 diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..1b34e21 100644
+index 386543b..984eefc 100644
 --- a/policy/modules/services/networkmanager.fc
 +++ b/policy/modules/services/networkmanager.fc
-@@ -1,7 +1,13 @@
+@@ -1,6 +1,13 @@
  /etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
  
-+/etc/NetworkManager(/.*)	gen_context(system_u:object_r:NetworkManager_etc_t,s0)
+-/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/etc/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_t,s0)
 +/etc/NetworkManager/NetworkManager\.conf	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
- /etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
- 
++/etc/NetworkManager/system-connections(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
++/etc/NetworkManager/dispatcher\.d(/.*)?	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++
 +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
 +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
 +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+
+ 
  /usr/libexec/nm-dispatcher.action --	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
  
- /sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-@@ -16,7 +22,8 @@
+@@ -16,7 +23,8 @@
  /var/lib/wicd(/.*)?			gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
  /var/lib/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
  
@@ -31942,7 +32087,7 @@ index 2324d9e..8069487 100644
 +	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
 +')
 diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..6000a3f 100644
+index 0619395..8f8c519 100644
 --- a/policy/modules/services/networkmanager.te
 +++ b/policy/modules/services/networkmanager.te
 @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -31982,7 +32127,7 @@ index 0619395..6000a3f 100644
  allow NetworkManager_t self:udp_socket create_socket_perms;
  allow NetworkManager_t self:packet_socket create_socket_perms;
  
-@@ -52,9 +63,19 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+@@ -52,9 +63,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
  
  can_exec(NetworkManager_t, NetworkManager_exec_t)
  
@@ -31990,8 +32135,9 @@ index 0619395..6000a3f 100644
 +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +
++manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 +manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-+filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, file)
++filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
 +
 +logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
 +
@@ -32002,7 +32148,7 @@ index 0619395..6000a3f 100644
  manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -133,30 +154,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -133,30 +155,37 @@ logging_send_syslog_msg(NetworkManager_t)
  miscfiles_read_localization(NetworkManager_t)
  miscfiles_read_generic_certs(NetworkManager_t)
  
@@ -32042,7 +32188,7 @@ index 0619395..6000a3f 100644
  ')
  
  optional_policy(`
-@@ -172,14 +200,21 @@ optional_policy(`
+@@ -172,14 +201,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32065,7 +32211,7 @@ index 0619395..6000a3f 100644
  	')
  ')
  
-@@ -202,6 +237,17 @@ optional_policy(`
+@@ -202,6 +238,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32083,7 +32229,7 @@ index 0619395..6000a3f 100644
  	iptables_domtrans(NetworkManager_t)
  ')
  
-@@ -219,6 +265,11 @@ optional_policy(`
+@@ -219,6 +266,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32095,7 +32241,7 @@ index 0619395..6000a3f 100644
  	openvpn_domtrans(NetworkManager_t)
  	openvpn_kill(NetworkManager_t)
  	openvpn_signal(NetworkManager_t)
-@@ -263,6 +314,7 @@ optional_policy(`
+@@ -263,6 +315,7 @@ optional_policy(`
  	vpn_kill(NetworkManager_t)
  	vpn_signal(NetworkManager_t)
  	vpn_signull(NetworkManager_t)
@@ -34216,7 +34362,7 @@ index 9759ed8..48a5431 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..dc27c14 100644
+index 06e217d..208ef3a 100644
 --- a/policy/modules/services/plymouthd.te
 +++ b/policy/modules/services/plymouthd.te
 @@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1)
@@ -34248,12 +34394,14 @@ index 06e217d..dc27c14 100644
  manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
  manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
  files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,23 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,25 @@ domain_use_interactive_fds(plymouthd_t)
  files_read_etc_files(plymouthd_t)
  files_read_usr_files(plymouthd_t)
  
 +term_use_unallocated_ttys(plymouthd_t)
 +
++init_signal(plymouthd_t)
++
 +logging_link_generic_logs(plymouthd_t)
 +logging_delete_generic_logs(plymouthd_t)
 +
@@ -34272,7 +34420,7 @@ index 06e217d..dc27c14 100644
  ########################################
  #
  # Plymouth private policy
-@@ -74,6 +95,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +97,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
  allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
  
  kernel_read_system_state(plymouth_t)
@@ -34280,7 +34428,7 @@ index 06e217d..dc27c14 100644
  
  domain_use_interactive_fds(plymouth_t)
  
-@@ -87,7 +109,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +111,7 @@ sysnet_read_config(plymouth_t)
  
  plymouthd_stream_connect(plymouth_t)
  
@@ -40685,7 +40833,7 @@ index c954f31..7f57f22 100644
 +	admin_pattern($1, spamd_var_run_t)
  ')
 diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..7e51d2b 100644
+index ec1eb1e..14832cf 100644
 --- a/policy/modules/services/spamassassin.te
 +++ b/policy/modules/services/spamassassin.te
 @@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0)
@@ -41027,7 +41175,7 @@ index ec1eb1e..7e51d2b 100644
  	fs_manage_cifs_files(spamd_t)
  ')
  
-@@ -399,7 +497,9 @@ optional_policy(`
+@@ -399,24 +497,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41037,24 +41185,29 @@ index ec1eb1e..7e51d2b 100644
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -408,25 +508,17 @@ optional_policy(`
+ optional_policy(`
+-	milter_manage_spamass_state(spamd_t)
++	mta_send_mail(spamd_t)
  ')
  
  optional_policy(`
 -	corenet_tcp_connect_mysqld_port(spamd_t)
 -	corenet_sendrecv_mysqld_client_packets(spamd_t)
 -
-+	mysql_tcp_connect(spamd_t)
- 	mysql_search_db(spamd_t)
- 	mysql_stream_connect(spamd_t)
+-	mysql_search_db(spamd_t)
+-	mysql_stream_connect(spamd_t)
++	milter_manage_spamass_state(spamd_t)
  ')
  
  optional_policy(`
 -	nis_use_ypbind(spamd_t)
--')
--
--optional_policy(`
- 	postfix_read_config(spamd_t)
++	mysql_tcp_connect(spamd_t)
++	mysql_search_db(spamd_t)
++	mysql_stream_connect(spamd_t)
+ ')
+ 
+ optional_policy(`
+@@ -424,9 +522,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41065,7 +41218,7 @@ index ec1eb1e..7e51d2b 100644
  	postgresql_stream_connect(spamd_t)
  ')
  
-@@ -437,6 +529,10 @@ optional_policy(`
+@@ -437,6 +533,10 @@ optional_policy(`
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -42421,6 +42574,15 @@ index d50c10d..97ce79e 100644
  	inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
  ')
  
+diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc
+index 8294f6f..4847b43 100644
+--- a/policy/modules/services/tgtd.fc
++++ b/policy/modules/services/tgtd.fc
+@@ -1,3 +1,4 @@
+ /etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+ /usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
+ /var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
++/var/run/tgtd.*			-s	gen_context(system_u:object_r:tgtd_var_run_t,s0)
 diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
 index b113b41..c2ed23a 100644
 --- a/policy/modules/services/tgtd.if
@@ -42471,10 +42633,20 @@ index b113b41..c2ed23a 100644
 +	allow $1 tgtd_t:sem create_sem_perms;
  ')
 diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index aa0cc45..44dfdc8 100644
+index aa0cc45..a8c69f5 100644
 --- a/policy/modules/services/tgtd.te
 +++ b/policy/modules/services/tgtd.te
-@@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
+@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
+ type tgtd_var_lib_t;
+ files_type(tgtd_var_lib_t)
+ 
++type tgtd_var_run_t;
++files_pid_file(tgtd_var_run_t)
++
+ ########################################
+ #
+ # TGTD personal policy.
+@@ -29,7 +32,7 @@ files_type(tgtd_var_lib_t)
  allow tgtd_t self:capability sys_resource;
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -42483,7 +42655,19 @@ index aa0cc45..44dfdc8 100644
  allow tgtd_t self:shm create_shm_perms;
  allow tgtd_t self:sem create_sem_perms;
  allow tgtd_t self:tcp_socket create_stream_socket_perms;
-@@ -57,10 +57,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
+@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+ manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+ files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+ 
++manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
++
+ kernel_read_fs_sysctls(tgtd_t)
+ 
+ corenet_all_recvfrom_netlabel(tgtd_t)
+@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
  corenet_tcp_bind_iscsi_port(tgtd_t)
  corenet_sendrecv_iscsi_server_packets(tgtd_t)
  
@@ -43013,7 +43197,7 @@ index 32a3c13..7baeb6f 100644
  
  optional_policy(`
 diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..6546d6e 100644
+index 2124b6a..1b33cbb 100644
 --- a/policy/modules/services/virt.fc
 +++ b/policy/modules/services/virt.fc
 @@ -1,4 +1,5 @@
@@ -43023,7 +43207,7 @@ index 2124b6a..6546d6e 100644
  HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
  HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
  
-@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -13,17 +14,25 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
  /etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -43046,8 +43230,14 @@ index 2124b6a..6546d6e 100644
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
  
  /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
++
++# support for AEOLUS project
++/usr/bin/imgfac\.py		--			gen_context(system_u:object_r:virtd_exec_t,s0)
++/var/cache/oz(/.*)?					gen_context(system_u:object_r:virt_cache_t,s0)
++/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
++/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..9b24cb5 100644
+index 7c5d8d8..b961fd7 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
 @@ -13,14 +13,15 @@
@@ -43307,10 +43497,23 @@ index 7c5d8d8..9b24cb5 100644
  ')
  
  ########################################
-@@ -516,3 +590,144 @@ interface(`virt_admin',`
+@@ -500,6 +574,7 @@ interface(`virt_manage_images',`
+ interface(`virt_admin',`
+ 	gen_require(`
+ 		type virtd_t, virtd_initrc_exec_t;
++		attribute virt_domain;
+ 	')
+ 
+ 	allow $1 virtd_t:process { ptrace signal_perms };
+@@ -515,4 +590,149 @@ interface(`virt_admin',`
+ 	virt_manage_lib_files($1)
  
  	virt_manage_log($1)
- ')
++
++	virt_manage_images($1)
++
++	allow $1 virt_domain:process { ptrace signal_perms };
++')
 +
 +########################################
 +## <summary>
@@ -43451,7 +43654,7 @@ index 7c5d8d8..9b24cb5 100644
 +	')
 +
 +	allow $1 virt_tmpfs_type:file manage_file_perms;
-+')
+ ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
 index 3eca020..9d3bc6d 100644
 --- a/policy/modules/services/virt.te
@@ -46643,10 +46846,10 @@ index c26ecf5..b906c48 100644
  
 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
 new file mode 100644
-index 0000000..56cb5af
+index 0000000..72059b2
 --- /dev/null
 +++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,29 @@
 +
 +/etc/zarafa(/.*)?			gen_context(system_u:object_r:zarafa_etc_t,s0)
 +
@@ -46662,6 +46865,8 @@ index 0000000..56cb5af
 +
 +/usr/bin/zarafa-monitor	--	gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
 +
++/var/lib/zarafa-.*   			gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++
 +/var/log/zarafa/server\.log		--	gen_context(system_u:object_r:zarafa_server_log_t,s0)
 +/var/log/zarafa/spooler\.log	--	gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
 +/var/log/zarafa/gateway\.log	--	gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
@@ -46804,10 +47009,10 @@ index 0000000..8a909f5
 +')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
 new file mode 100644
-index 0000000..6b80580
+index 0000000..fec9997
 --- /dev/null
 +++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,141 @@
 +policy_module(zarafa, 1.0.0)
 +
 +########################################
@@ -46827,6 +47032,12 @@ index 0000000..6b80580
 +type zarafa_deliver_tmp_t;
 +files_tmp_file(zarafa_deliver_tmp_t)
 +
++type zarafa_server_tmp_t;
++files_tmp_file(zarafa_server_tmp_t)
++
++type zarafa_var_lib_t;
++files_tmp_file(zarafa_var_lib_t)
++
 +type zarafa_etc_t;
 +files_config_file(zarafa_etc_t)
 +
@@ -46851,7 +47062,15 @@ index 0000000..6b80580
 +#
 +
 +allow zarafa_server_t self:capability { chown kill net_bind_service };
-+allow zarafa_server_t self:process { setrlimit signal };
++allow zarafa_server_t self:process setrlimit;
++
++manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
++manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
++files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
++
++manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
 +
 +corenet_tcp_bind_zarafa_port(zarafa_server_t)
 +
@@ -46876,7 +47095,6 @@ index 0000000..6b80580
 +#
 +
 +allow zarafa_spooler_t self:capability { chown kill };
-+allow zarafa_spooler_t self:process signal;
 +
 +can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
 +
@@ -46888,7 +47106,7 @@ index 0000000..6b80580
 +#
 +
 +allow zarafa_gateway_t self:capability { chown kill };
-+allow zarafa_gateway_t self:process { setrlimit signal };
++allow zarafa_gateway_t self:process setrlimit;
 +
 +corenet_tcp_bind_pop_port(zarafa_gateway_t)
 +
@@ -46915,6 +47133,7 @@ index 0000000..6b80580
 +
 +# bad permission on /etc/zarafa
 +allow zarafa_domain self:capability { dac_override setgid setuid };
++allow zarafa_domain self:process signal;
 +allow zarafa_domain self:fifo_file rw_fifo_file_perms;
 +allow zarafa_domain self:tcp_socket create_stream_socket_perms;
 +allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
@@ -48087,7 +48306,7 @@ index 354ce93..f97fbb7 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..8c9b7fa 100644
+index cc83689..e83c909 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -48315,7 +48534,32 @@ index cc83689..8c9b7fa 100644
  ')
  
  ########################################
-@@ -519,10 +636,30 @@ interface(`init_sigchld',`
+@@ -509,6 +626,24 @@ interface(`init_sigchld',`
+ 
+ ########################################
+ ## <summary>
++##	Send generic signals to init.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_signal',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:process signal;
++')
++
++########################################
++## <summary>
+ ##	Connect to init with a unix socket.
+ ## </summary>
+ ## <param name="domain">
+@@ -519,10 +654,30 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -48348,7 +48592,7 @@ index cc83689..8c9b7fa 100644
  ')
  
  ########################################
-@@ -688,19 +825,24 @@ interface(`init_telinit',`
+@@ -688,19 +843,24 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -48374,7 +48618,7 @@ index cc83689..8c9b7fa 100644
  	')
  ')
  
-@@ -773,18 +915,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -48398,7 +48642,7 @@ index cc83689..8c9b7fa 100644
  	')
  ')
  
-@@ -800,23 +943,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +961,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -48448,7 +48692,7 @@ index cc83689..8c9b7fa 100644
  ##	Execute a init script in a specified domain.
  ## </summary>
  ## <desc>
-@@ -868,9 +1033,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -48463,7 +48707,7 @@ index cc83689..8c9b7fa 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1249,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -48488,7 +48732,7 @@ index cc83689..8c9b7fa 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1318,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -48502,7 +48746,7 @@ index cc83689..8c9b7fa 100644
  ')
  
  ########################################
-@@ -1375,6 +1558,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -48530,7 +48774,7 @@ index cc83689..8c9b7fa 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1665,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -48556,7 +48800,7 @@ index cc83689..8c9b7fa 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1742,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -48581,7 +48825,7 @@ index cc83689..8c9b7fa 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1674,7 +1915,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -48590,7 +48834,7 @@ index cc83689..8c9b7fa 100644
  ')
  
  ########################################
-@@ -1715,6 +1956,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1974,74 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -48665,7 +48909,7 @@ index cc83689..8c9b7fa 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2058,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2076,139 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -48806,7 +49050,7 @@ index cc83689..8c9b7fa 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..d6ca7e5 100644
+index ea29513..890810e 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -49307,8 +49551,14 @@ index ea29513..d6ca7e5 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -524,6 +725,23 @@ ifdef(`distro_redhat',`
+@@ -522,8 +723,29 @@ ifdef(`distro_redhat',`
+ 	')
+ 
  	optional_policy(`
++        abrt_manage_pid_files(initrc_t)
++    ')
++
++	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
 +		bind_setattr_zone_dirs(initrc_t)
@@ -49331,7 +49581,7 @@ index ea29513..d6ca7e5 100644
  	')
  
  	optional_policy(`
-@@ -531,10 +749,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +753,17 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -49349,7 +49599,7 @@ index ea29513..d6ca7e5 100644
  	')
  
  	optional_policy(`
-@@ -549,6 +774,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +778,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -49389,7 +49639,7 @@ index ea29513..d6ca7e5 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +819,8 @@ optional_policy(`
+@@ -561,6 +823,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -49398,7 +49648,7 @@ index ea29513..d6ca7e5 100644
  ')
  
  optional_policy(`
-@@ -577,6 +837,7 @@ optional_policy(`
+@@ -577,6 +841,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -49406,7 +49656,7 @@ index ea29513..d6ca7e5 100644
  ')
  
  optional_policy(`
-@@ -589,6 +850,11 @@ optional_policy(`
+@@ -589,6 +854,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49418,7 +49668,7 @@ index ea29513..d6ca7e5 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +871,13 @@ optional_policy(`
+@@ -605,9 +875,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -49432,7 +49682,7 @@ index ea29513..d6ca7e5 100644
  	')
  
  	optional_policy(`
-@@ -649,6 +919,11 @@ optional_policy(`
+@@ -649,6 +923,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49444,7 +49694,7 @@ index ea29513..d6ca7e5 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -706,7 +981,13 @@ optional_policy(`
+@@ -706,7 +985,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49458,7 +49708,7 @@ index ea29513..d6ca7e5 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +1010,10 @@ optional_policy(`
+@@ -729,6 +1014,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49469,7 +49719,7 @@ index ea29513..d6ca7e5 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1023,20 @@ optional_policy(`
+@@ -738,10 +1027,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49490,7 +49740,7 @@ index ea29513..d6ca7e5 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1045,10 @@ optional_policy(`
+@@ -750,6 +1049,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49501,7 +49751,7 @@ index ea29513..d6ca7e5 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1070,6 @@ optional_policy(`
+@@ -771,8 +1074,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -49510,7 +49760,7 @@ index ea29513..d6ca7e5 100644
  ')
  
  optional_policy(`
-@@ -781,14 +1078,21 @@ optional_policy(`
+@@ -781,14 +1082,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49532,7 +49782,7 @@ index ea29513..d6ca7e5 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1104,6 @@ optional_policy(`
+@@ -800,7 +1108,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49540,7 +49790,7 @@ index ea29513..d6ca7e5 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -810,11 +1113,24 @@ optional_policy(`
+@@ -810,11 +1117,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49566,7 +49816,7 @@ index ea29513..d6ca7e5 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1140,25 @@ optional_policy(`
+@@ -824,6 +1144,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -49592,7 +49842,7 @@ index ea29513..d6ca7e5 100644
  ')
  
  optional_policy(`
-@@ -849,3 +1184,42 @@ optional_policy(`
+@@ -849,3 +1188,42 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -50949,7 +51199,7 @@ index c7cfb62..ee89659 100644
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..d3522be 100644
+index 9b5a9ed..68fe7d8 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -19,6 +19,11 @@ type auditd_log_t;
@@ -51092,7 +51342,7 @@ index 9b5a9ed..d3522be 100644
  # manage pid file
  manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
  files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +455,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,7 +455,11 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
  dev_filetrans(syslogd_t, devlog_t, sock_file)
  dev_read_sysfs(syslogd_t)
@@ -51100,9 +51350,11 @@ index 9b5a9ed..d3522be 100644
 +# relating to systemd-kmsg-syslogd
 +dev_write_kmsg(syslogd_t)
  
++domain_read_all_domains_state(syslogd_t)
  domain_use_interactive_fds(syslogd_t)
  
-@@ -432,6 +478,7 @@ term_write_console(syslogd_t)
+ files_read_etc_files(syslogd_t)
+@@ -432,6 +479,7 @@ term_write_console(syslogd_t)
  # Allow syslog to a terminal
  term_write_unallocated_ttys(syslogd_t)
  
@@ -51110,7 +51362,7 @@ index 9b5a9ed..d3522be 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -480,6 +527,10 @@ optional_policy(`
+@@ -480,6 +528,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51121,7 +51373,7 @@ index 9b5a9ed..d3522be 100644
  	postgresql_stream_connect(syslogd_t)
  ')
  
-@@ -488,6 +539,10 @@ optional_policy(`
+@@ -488,6 +540,10 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 227f73c..b43164f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,30 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-16
+- Allow spamd to sent mail
+- Needs to be able to write to its systemhigh log file
+- Fix aide policy to run on MLS boxes
+- Allow NetworkManager to manage content in /etc/NetworkManager/system-connections
+- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners
+- Allow telepath_msn_t to read /proc/PARENT/cmdline
+- ftpd needs kill capability
+- Allow telepath_msn_t to connect to sip port
+- keyring daemon does not work on nfs homedirs
+- Allow $1_sudo_t to read default SELinux context
+- Add label for tgtd sock file in /var/run/
+- Add apache_exec_rotatelogs interface
+- allow all zaraha domains to signal themselves, server writes to /tmp
+- Allow syslog to read the process state
+- Add label for /usr/lib/chromium-browser/chrome
+- Remove the telepathy transition from unconfined_t
+- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts
+- Allow initrc_t domain to manage abrt pid files
+- Add support for AEOLUS project
+- Virt_admin should be allowed to manage images and processes
+- Allow plymountd to send signals to init
+- Change labeling of fping6
+
 * Wed Apr 13 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-15
 - xdm_t needs getsession for switch user
 - Every app that used to exec init is now execing systemdctl