diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 653e1c3..33dc3cc 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -3452,7 +3452,7 @@ index 7590165..85186a9 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..c8ab679 100644
+index 644d4d7..ef87fdd 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3534,7 +3534,12 @@ index 644d4d7..c8ab679 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',`
+@@ -148,10 +162,12 @@ ifdef(`distro_gentoo',`
+ /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/usr/lib/erlang/erts.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
#
# /sbin
#
@@ -3543,7 +3548,7 @@ index 644d4d7..c8ab679 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +183,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3551,7 +3556,7 @@ index 644d4d7..c8ab679 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +195,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3610,7 +3615,7 @@ index 644d4d7..c8ab679 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +246,31 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +248,31 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3649,7 +3654,7 @@ index 644d4d7..c8ab679 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,26 +285,39 @@ ifdef(`distro_gentoo',`
+@@ -241,26 +287,39 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3694,7 +3699,7 @@ index 644d4d7..c8ab679 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -269,6 +326,7 @@ ifdef(`distro_gentoo',`
+@@ -269,6 +328,7 @@ ifdef(`distro_gentoo',`
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -3702,7 +3707,7 @@ index 644d4d7..c8ab679 100644
/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -276,10 +334,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +336,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3718,7 +3723,7 @@ index 644d4d7..c8ab679 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +357,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +359,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3743,7 +3748,7 @@ index 644d4d7..c8ab679 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +390,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +392,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3772,7 +3777,7 @@ index 644d4d7..c8ab679 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -342,6 +418,7 @@ ifdef(`distro_redhat', `
+@@ -342,6 +420,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3780,7 +3785,7 @@ index 644d4d7..c8ab679 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +460,16 @@ ifdef(`distro_suse', `
+@@ -383,11 +462,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3798,7 +3803,7 @@ index 644d4d7..c8ab679 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +479,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +481,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 70da7ca..2115a33 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -15632,16 +15632,23 @@ index eeea48d..691ca11 100644
+ wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
-index c086302..4f33119 100644
+index c086302..5380ab6 100644
--- a/couchdb.fc
+++ b/couchdb.fc
-@@ -1,3 +1,6 @@
-+
+@@ -1,8 +1,10 @@
+-/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
+-
+ /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
+
+-/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
- /etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
++/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
++
++/usr/libexec/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
+
+ /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
- /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
index 83d6744..3f0c0dc 100644
--- a/couchdb.if
@@ -15879,7 +15886,7 @@ index 83d6744..3f0c0dc 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index 503adab..046fe9b 100644
+index 503adab..c5128a8 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
@@ -15892,7 +15899,37 @@ index 503adab..046fe9b 100644
########################################
#
# Local policy
-@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t)
+@@ -35,10 +38,10 @@ files_pid_file(couchdb_var_run_t)
+ allow couchdb_t self:process { setsched signal signull sigkill };
+ allow couchdb_t self:fifo_file rw_fifo_file_perms;
+ allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
++allow couchdb_t self:unix_dgram_socket create_socket_perms;
+ allow couchdb_t self:tcp_socket { accept listen };
+
+-allow couchdb_t couchdb_conf_t:dir list_dir_perms;
+-allow couchdb_t couchdb_conf_t:file read_file_perms;
++manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t)
+
+ manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
+ append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
+@@ -56,7 +59,7 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+
+ manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
+ manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
+-files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
++files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir })
+
+ can_exec(couchdb_t, couchdb_exec_t)
+
+@@ -75,14 +78,15 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+ corenet_tcp_bind_couchdb_port(couchdb_t)
+ corenet_tcp_sendrecv_couchdb_port(couchdb_t)
+
++fs_getattr_all_files(couchdb_t)
++fs_getattr_all_dirs(couchdb_t)
++fs_getattr_all_fs(couchdb_t)
++
+ dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)
@@ -23846,7 +23883,7 @@ index 0000000..a952041
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..7f715f8
+index 0000000..c1ab586
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,58 @@
@@ -23897,7 +23934,7 @@ index 0000000..7f715f8
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
-+auth_read_passwd(dnssec_trigger_t)
++auth_use_nsswitch(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
@@ -26591,7 +26628,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..37dfeb3 100644
+index 0872e50..4acb314 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -26619,12 +26656,13 @@ index 0872e50..37dfeb3 100644
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
-@@ -90,24 +88,37 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -90,24 +88,38 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
++logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
-miscfiles_read_localization(fail2ban_t)
@@ -26661,7 +26699,7 @@ index 0872e50..37dfeb3 100644
iptables_domtrans(fail2ban_t)
')
-@@ -116,6 +127,10 @@ optional_policy(`
+@@ -116,6 +128,10 @@ optional_policy(`
')
optional_policy(`
@@ -26672,7 +26710,7 @@ index 0872e50..37dfeb3 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -129,22 +144,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -40664,7 +40702,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..6234385 100644
+index 7bab8e5..36ced41 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,26 @@
@@ -40923,7 +40961,7 @@ index 7bab8e5..6234385 100644
optional_policy(`
- psad_domtrans(logrotate_t)
-+ rabbitmq_domtrans_beam(logrotate_t)
++ rabbitmq_domtrans(logrotate_t)
+')
+
+optional_policy(`
@@ -49686,7 +49724,7 @@ index b744fe3..17e2514 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..dac7323 100644
+index 97370e4..0911867 100644
--- a/munin.te
+++ b/munin.te
@@ -37,44 +37,47 @@ munin_plugin_template(disk)
@@ -49901,7 +49939,18 @@ index 97370e4..dac7323 100644
')
optional_policy(`
-@@ -353,7 +365,11 @@ optional_policy(`
+@@ -340,6 +352,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ fail2ban_domtrans_client(services_munin_plugin_t)
++')
++
++optional_policy(`
+ lpd_exec_lpr(services_munin_plugin_t)
+ ')
+
+@@ -353,7 +369,11 @@ optional_policy(`
')
optional_policy(`
@@ -49914,7 +49963,7 @@ index 97370e4..dac7323 100644
')
optional_policy(`
-@@ -385,6 +401,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +405,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -49922,7 +49971,7 @@ index 97370e4..dac7323 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +430,32 @@ optional_policy(`
+@@ -413,3 +434,32 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -75548,11 +75597,21 @@ index 4b2c272..1aee969 100644
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
-index c5ad6de..a48c318 100644
+index c5ad6de..2bf7656 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
-@@ -4,7 +4,11 @@
- /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+@@ -1,10 +1,19 @@
+ /etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
+
+-/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
+-/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
++/usr/lib/systemd/system/rabbitmq-server.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
++/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
++
++/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
++/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmqctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
++
++/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
@@ -75564,31 +75623,51 @@ index c5ad6de..a48c318 100644
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.if b/rabbitmq.if
-index 2c3d338..cf3e5ad 100644
+index 2c3d338..7d49554 100644
--- a/rabbitmq.if
+++ b/rabbitmq.if
-@@ -10,13 +10,13 @@
- ##
- ##
+@@ -38,12 +38,12 @@ interface(`rabbitmq_domtrans',`
#
--interface(`rabbitmq_domtrans',`
-+interface(`rabbitmq_domtrans_beam',`
+ interface(`rabbitmq_admin',`
gen_require(`
-- type rabbitmq_t, rabbitmq_exec_t;
-+ type rabbitmq_beam_t, rabbitmq_beam_exec_t;
+- type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t;
++ type rabbitmq_t, rabbitmq_initrc_exec_t;
+ type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t;
')
- corecmd_search_bin($1)
-- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
-+ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
- ')
+- allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
++ allow $1 { rabbitmq_t }:process { ptrace signal_perms };
++ ps_process_pattern($1, rabbitmq_t)
- ########################################
+ init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..12f5c46 100644
+index 3698b51..a0f44a4 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
+@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0)
+ # Declarations
+ #
+
+-type rabbitmq_epmd_t;
+-type rabbitmq_epmd_exec_t;
+-init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
++type rabbitmq_t;
++type rabbitmq_exec_t;
++init_daemon_domain(rabbitmq_t, rabbitmq_exec_t)
+
+-type rabbitmq_beam_t;
+-type rabbitmq_beam_exec_t;
+-init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
++typealias rabbitmq_t alias {rabbitmq_beam_t rabbitmq_epmd_t};
++
++type rabbitmq_unit_file_t;
++systemd_unit_file(rabbitmq_unit_file_t)
+
+ type rabbitmq_initrc_exec_t;
+ init_script_file(rabbitmq_initrc_exec_t)
+@@ -19,6 +20,9 @@ init_script_file(rabbitmq_initrc_exec_t)
type rabbitmq_var_lib_t;
files_type(rabbitmq_var_lib_t)
@@ -75598,131 +75677,143 @@ index 3698b51..12f5c46 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -30,64 +33,107 @@ files_pid_file(rabbitmq_var_run_t)
- # Beam local policy
- #
-
-+allow rabbitmq_beam_t self:capability setuid;
-+
- allow rabbitmq_beam_t self:process { setsched signal signull };
- allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
- allow rabbitmq_beam_t self:tcp_socket { accept listen };
+@@ -27,80 +31,81 @@ files_pid_file(rabbitmq_var_run_t)
- manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
- manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-+files_var_lib_filetrans(rabbitmq_beam_t, rabbitmq_var_lib_t, { dir file })
+ ######################################
+ #
+-# Beam local policy
++# Rabbitmq local policy
+ #
- manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-allow rabbitmq_beam_t self:process { setsched signal signull };
+-allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
+-allow rabbitmq_beam_t self:tcp_socket { accept listen };
+-
+-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+-
+-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-+logging_log_filetrans(rabbitmq_beam_t, rabbitmq_var_log_t, { dir file })
-+
-+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
-+files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file)
-
- manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
- manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-+files_pid_filetrans(rabbitmq_beam_t, rabbitmq_var_run_t, { dir file })
-+
-+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
-
- can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-
- domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-
- kernel_read_system_state(rabbitmq_beam_t)
-+kernel_read_fs_sysctls(rabbitmq_beam_t)
-
- corecmd_exec_bin(rabbitmq_beam_t)
- corecmd_exec_shell(rabbitmq_beam_t)
-
-+corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-+corenet_udp_bind_generic_node(rabbitmq_beam_t)
- corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
- corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
- corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
- corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
- corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
-+corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t)
-
- corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
+-
+-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
++allow rabbitmq_t self:capability setuid;
+
+-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
++allow rabbitmq_t self:process { setsched signal signull };
++allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
++allow rabbitmq_t self:tcp_socket { accept listen };
+
+-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
++manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
+
+-kernel_read_system_state(rabbitmq_beam_t)
++manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
+
+-corecmd_exec_bin(rabbitmq_beam_t)
+-corecmd_exec_shell(rabbitmq_beam_t)
++manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
++manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
++files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file)
+
+-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
+-corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
+-corenet_tcp_bind_generic_node(rabbitmq_beam_t)
++manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
++manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
++files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
+-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
++kernel_read_system_state(rabbitmq_t)
++kernel_read_fs_sysctls(rabbitmq_t)
- corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
-+corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
- corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
-+corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
- corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-+corenet_tcp_connect_http_port(rabbitmq_beam_t)
+-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+-corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
++corecmd_exec_bin(rabbitmq_t)
++corecmd_exec_shell(rabbitmq_t)
-dev_read_sysfs(rabbitmq_beam_t)
-+domain_read_all_domains_state(rabbitmq_beam_t)
++corenet_tcp_bind_generic_node(rabbitmq_t)
++corenet_udp_bind_generic_node(rabbitmq_t)
++corenet_all_recvfrom_unlabeled(rabbitmq_t)
++corenet_all_recvfrom_netlabel(rabbitmq_t)
++corenet_tcp_sendrecv_generic_if(rabbitmq_t)
++corenet_tcp_sendrecv_generic_node(rabbitmq_t)
++corenet_tcp_bind_generic_node(rabbitmq_t)
++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_t)
++corenet_tcp_bind_all_ephemeral_ports(rabbitmq_t)
++corenet_sendrecv_amqp_server_packets(rabbitmq_t)
++corenet_sendrecv_epmd_client_packets(rabbitmq_t)
++corenet_tcp_sendrecv_amqp_port(rabbitmq_t)
++corenet_tcp_bind_amqp_port(rabbitmq_t)
++corenet_tcp_bind_epmd_port(rabbitmq_t)
++corenet_tcp_bind_jabber_client_port(rabbitmq_t)
++corenet_tcp_bind_jabber_interserver_port(rabbitmq_t)
++corenet_tcp_connect_amqp_port(rabbitmq_t)
++corenet_tcp_connect_epmd_port(rabbitmq_t)
++corenet_tcp_connect_jabber_interserver_port(rabbitmq_t)
++corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
++corenet_tcp_connect_http_port(rabbitmq_t)
-files_read_etc_files(rabbitmq_beam_t)
-+auth_read_passwd(rabbitmq_beam_t)
-+auth_use_pam(rabbitmq_beam_t)
++domain_read_all_domains_state(rabbitmq_t)
-miscfiles_read_localization(rabbitmq_beam_t)
-+files_getattr_all_mountpoints(rabbitmq_beam_t)
-+
-+fs_getattr_all_fs(rabbitmq_beam_t)
-+fs_getattr_all_dirs(rabbitmq_beam_t)
-+fs_getattr_cgroup(rabbitmq_beam_t)
-+fs_search_cgroup_dirs(rabbitmq_beam_t)
-+
-+dev_read_sysfs(rabbitmq_beam_t)
-+dev_read_urand(rabbitmq_beam_t)
-+
-+storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
-
- sysnet_dns_name_resolve(rabbitmq_beam_t)
+-
+-sysnet_dns_name_resolve(rabbitmq_beam_t)
+-
+-########################################
+-#
+-# Epmd local policy
+-#
++auth_read_passwd(rabbitmq_t)
++auth_use_pam(rabbitmq_t)
-+logging_send_syslog_msg(rabbitmq_beam_t)
-+
-+optional_policy(`
-+ couchdb_manage_files(rabbitmq_beam_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(rabbitmq_beam_t)
-+')
-+
- ########################################
- #
- # Epmd local policy
- #
++files_getattr_all_mountpoints(rabbitmq_t)
--
- allow rabbitmq_epmd_t self:process signal;
- allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
- allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
- allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+-allow rabbitmq_epmd_t self:process signal;
+-allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
+-allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
+-allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
++fs_getattr_all_fs(rabbitmq_t)
++fs_getattr_all_dirs(rabbitmq_t)
++fs_getattr_cgroup(rabbitmq_t)
++fs_search_cgroup_dirs(rabbitmq_t)
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
-+allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms;
-+
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++dev_read_sysfs(rabbitmq_t)
++dev_read_urand(rabbitmq_t)
- corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
- corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-@@ -99,8 +145,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
- corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
- corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
+-corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
+-corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
+-corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
+-corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t)
+-corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
++storage_getattr_fixed_disk_dev(rabbitmq_t)
+
+-corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+-corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
+-corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
++sysnet_dns_name_resolve(rabbitmq_t)
-files_read_etc_files(rabbitmq_epmd_t)
--
- logging_send_syslog_msg(rabbitmq_epmd_t)
++logging_send_syslog_msg(rabbitmq_t)
+
+-logging_send_syslog_msg(rabbitmq_epmd_t)
++optional_policy(`
++ dbus_system_bus_client(rabbitmq_t)
++')
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 073278f..e631b85 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 184%{?dist}
+Release: 185%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Sep 11 2014 Lukas Vrabec 3.12.1-185
+- Label /usr/lib/erlang/erts.*/bin files as bin_t
+- Added changes related to rabbitmq daemon.
+- Fix labeling in couchdb policy
+- Allow rabbitmq bind on epmd port
+- Clean up rabbitmq policy
+- fix domtrans_rabbitmq interface
+- Added rabbitmq_beam_t and rabbitmq_epmd_t alias
+- Allow couchdb to getattr
+- Allow couchdb write to couchdb_conf files
+- Allow couchdb to create dgram_sockets
+- Added support for ejabberd
+
* Wed Sep 10 2014 Lukas Vrabec 3.12.1-184
- ALlow wine domains to create wine_home symlinks.
- Allow policykit_auth_t access check and read usr config files.