diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 076f179..a94c887 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -2729,7 +2729,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..dd089fa 100644
+index d555767..010af99 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -3095,7 +3095,7 @@ index d555767..dd089fa 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +517,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +517,37 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3111,6 +3111,7 @@ index d555767..dd089fa 100644
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
+files_manage_etc_files(useradd_t)
++files_create_var_lib_dirs(useradd_t)
+files_rw_var_lib_dirs(useradd_t)
fs_search_auto_mountpoints(useradd_t)
@@ -3144,7 +3145,7 @@ index d555767..dd089fa 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +557,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +558,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3195,7 +3196,7 @@ index d555767..dd089fa 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +597,12 @@ optional_policy(`
+@@ -542,7 +598,12 @@ optional_policy(`
')
optional_policy(`
@@ -3209,7 +3210,7 @@ index d555767..dd089fa 100644
')
optional_policy(`
-@@ -550,6 +610,11 @@ optional_policy(`
+@@ -550,6 +611,11 @@ optional_policy(`
')
optional_policy(`
@@ -3221,7 +3222,7 @@ index d555767..dd089fa 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +624,12 @@ optional_policy(`
+@@ -559,3 +625,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -6105,7 +6106,7 @@ index b31c054..53df7ae 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..9f56be1 100644
+index 76f285e..fb27ae5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7633,7 +7634,7 @@ index 76f285e..9f56be1 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5641,945 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -7975,6 +7976,7 @@ index 76f285e..9f56be1 100644
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
@@ -8886,7 +8888,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7e91ba9 100644
+index cf04cb5..8f294d2 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8927,13 +8929,14 @@ index cf04cb5..7e91ba9 100644
# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
+allow domain self:fifo_file rw_fifo_file_perms;
+allow domain self:sem create_sem_perms;
+allow domain self:shm create_shm_perms;
++allow domain self:key manage_key_perms;
+
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
@@ -8974,7 +8977,7 @@ index cf04cb5..7e91ba9 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -8993,7 +8996,7 @@ index cf04cb5..7e91ba9 100644
')
optional_policy(`
-@@ -133,6 +189,9 @@ optional_policy(`
+@@ -133,6 +190,9 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9003,7 +9006,7 @@ index cf04cb5..7e91ba9 100644
')
########################################
-@@ -147,12 +206,18 @@ optional_policy(`
+@@ -147,12 +207,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -9023,7 +9026,7 @@ index cf04cb5..7e91ba9 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +232,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9585,7 +9588,7 @@ index c2c6e05..2282452 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..75437fb 100644
+index 64ff4d7..f0233d1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11333,7 +11336,31 @@ index 64ff4d7..75437fb 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5578,6 +6654,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5507,6 +6583,23 @@ interface(`files_rw_var_lib_dirs',`
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
+ ')
+
++#######################################
++##
++## Create directories in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir { create rw_dir_perms };
++')
++
+ ########################################
+ ##
+ ## Create objects in the /var/lib directory
+@@ -5578,6 +6671,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11359,7 +11386,7 @@ index 64ff4d7..75437fb 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6718,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6735,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -11368,7 +11395,7 @@ index 64ff4d7..75437fb 100644
##
##
##
-@@ -5631,12 +6726,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6743,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -11384,7 +11411,7 @@ index 64ff4d7..75437fb 100644
')
########################################
-@@ -5654,6 +6750,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6767,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11392,7 +11419,7 @@ index 64ff4d7..75437fb 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6777,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6794,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -11420,7 +11447,7 @@ index 64ff4d7..75437fb 100644
##
##
##
-@@ -5688,13 +6804,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6821,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -11437,7 +11464,7 @@ index 64ff4d7..75437fb 100644
')
########################################
-@@ -5713,7 +6828,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6845,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11446,7 +11473,7 @@ index 64ff4d7..75437fb 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6861,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6878,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -11454,7 +11481,7 @@ index 64ff4d7..75437fb 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6875,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6892,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -11463,7 +11490,7 @@ index 64ff4d7..75437fb 100644
##
##
##
-@@ -5769,13 +6883,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6900,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -11498,7 +11525,7 @@ index 64ff4d7..75437fb 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6925,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6942,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -11516,7 +11543,7 @@ index 64ff4d7..75437fb 100644
')
########################################
-@@ -5816,9 +6949,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6966,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11527,7 +11554,7 @@ index 64ff4d7..75437fb 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6991,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +7008,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11537,7 +11564,7 @@ index 64ff4d7..75437fb 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +7013,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +7030,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11547,7 +11574,7 @@ index 64ff4d7..75437fb 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7050,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +7067,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11557,7 +11584,7 @@ index 64ff4d7..75437fb 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +7089,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7106,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11566,7 +11593,7 @@ index 64ff4d7..75437fb 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +7109,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +7126,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11615,7 +11642,7 @@ index 64ff4d7..75437fb 100644
########################################
##
## Do not audit attempts to search
-@@ -6007,6 +7173,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7190,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -11641,7 +11668,7 @@ index 64ff4d7..75437fb 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6021,7 +7206,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7223,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11650,7 +11677,7 @@ index 64ff4d7..75437fb 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7225,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7242,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11659,7 +11686,7 @@ index 64ff4d7..75437fb 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7245,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7262,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11668,7 +11695,7 @@ index 64ff4d7..75437fb 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7307,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7324,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11676,11 +11703,37 @@ index 64ff4d7..75437fb 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,6 +7335,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,7 +7352,7 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
+-## Read and write generic process ID files.
+## rw generic pid files inherited from another process
+ ##
+ ##
+ ##
+@@ -6159,20 +7360,38 @@ interface(`files_pid_filetrans_lock_dir',`
+ ##
+ ##
+ #
+-interface(`files_rw_generic_pids',`
++interface(`files_rw_inherited_generic_pid_files',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- rw_files_pattern($1, var_run_t, var_run_t)
++ allow $1 var_run_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes of
+-## daemon runtime data files.
++## Read and write generic process ID files.
+##
+##
+##
@@ -11688,41 +11741,34 @@ index 64ff4d7..75437fb 100644
+##
+##
+#
-+interface(`files_rw_inherited_generic_pid_files',`
++interface(`files_rw_generic_pids',`
+ gen_require(`
-+ type var_run_t;
++ type var_t, var_run_t;
+ ')
+
-+ allow $1 var_run_t:file rw_inherited_file_perms;
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
++ rw_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+##
- ## Read and write generic process ID files.
++## Do not audit attempts to get the attributes of
++## daemon runtime data files.
##
##
-@@ -6164,7 +7366,7 @@ interface(`files_rw_generic_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- rw_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6231,24 +7433,208 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ ##
+@@ -6231,6 +7450,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
--## Read all process ID files.
+## Relable all pid directories
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
@@ -11826,15 +11872,10 @@ index 64ff4d7..75437fb 100644
+
+########################################
+##
-+## Read all process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
- #
+ ## Read all process ID files.
+ ##
+ ##
+@@ -6243,12 +7572,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
@@ -11923,7 +11964,7 @@ index 64ff4d7..75437fb 100644
')
########################################
-@@ -6268,8 +7654,8 @@ interface(`files_delete_all_pids',`
+@@ -6268,8 +7671,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
@@ -11933,7 +11974,7 @@ index 64ff4d7..75437fb 100644
allow $1 var_run_t:dir rmdir;
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7679,80 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6293,36 +7696,80 @@ interface(`files_delete_all_pid_dirs',`
type var_t, var_run_t;
')
@@ -12025,7 +12066,7 @@ index 64ff4d7..75437fb 100644
##
##
##
-@@ -6330,12 +7760,33 @@ interface(`files_manage_all_pids',`
+@@ -6330,12 +7777,33 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -12062,7 +12103,7 @@ index 64ff4d7..75437fb 100644
')
########################################
-@@ -6562,3 +8013,514 @@ interface(`files_unconfined',`
+@@ -6562,3 +8030,514 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15812,7 +15853,7 @@ index 54f1827..39faa3f 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..38b597e 100644
+index 1700ef2..63e1b75 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -15941,7 +15982,7 @@ index 1700ef2..38b597e 100644
########################################
##
## Allow the caller to directly read
-@@ -808,3 +892,401 @@ interface(`storage_unconfined',`
+@@ -808,3 +892,411 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -16042,6 +16083,16 @@ index 1700ef2..38b597e 100644
+ dev_filetrans($1, removable_device_t, blk_file, "cm207")
+ dev_filetrans($1, removable_device_t, blk_file, "cm208")
+ dev_filetrans($1, removable_device_t, blk_file, "cm209")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
@@ -18980,7 +19031,7 @@ index 0000000..cf6582f
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..539c163
+index 0000000..1357cda
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,328 @@
@@ -19276,7 +19327,7 @@ index 0000000..539c163
+')
+
+optional_policy(`
-+ rpm_run(unconfined_t, unconfined_r)
++# rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_dbus_chat(unconfined_t)
@@ -29745,7 +29796,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..1de81e9 100644
+index 9e54bf9..7ca1e9e 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29767,7 +29818,7 @@ index 9e54bf9..1de81e9 100644
-allow ipsec_t self:process { getcap setcap getsched signal setsched };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid };
+dontaudit ipsec_t self:capability sys_tty_config;
-+allow ipsec_t self:process { getcap setcap getsched signal signull setsched };
++allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
+allow ipsec_t self:packet_socket create_socket_perms;
@@ -30121,7 +30172,7 @@ index c42fbc3..174cfdb 100644
##
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..cafb28e 100644
+index 5dfa44b..1c9fe59 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -30162,15 +30213,16 @@ index 5dfa44b..cafb28e 100644
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
-@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
+dev_read_urand(iptables_t)
++dev_read_rand(iptables_t)
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +75,12 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -30185,7 +30237,7 @@ index 5dfa44b..cafb28e 100644
auth_use_nsswitch(iptables_t)
-@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +89,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -30203,7 +30255,7 @@ index 5dfa44b..cafb28e 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -30212,7 +30264,7 @@ index 5dfa44b..cafb28e 100644
')
optional_policy(`
-@@ -110,6 +114,11 @@ optional_policy(`
+@@ -110,6 +115,11 @@ optional_policy(`
')
optional_policy(`
@@ -30224,7 +30276,7 @@ index 5dfa44b..cafb28e 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
-@@ -124,6 +133,12 @@ optional_policy(`
+@@ -124,6 +134,12 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -30237,7 +30289,7 @@ index 5dfa44b..cafb28e 100644
')
optional_policy(`
-@@ -135,9 +150,9 @@ optional_policy(`
+@@ -135,9 +151,9 @@ optional_policy(`
')
optional_policy(`
@@ -31681,7 +31733,7 @@ index 4e94884..ae63d78 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..e2be79a 100644
+index 39ea221..d94978c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -32014,7 +32066,16 @@ index 39ea221..e2be79a 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +579,40 @@ optional_policy(`
+@@ -492,6 +569,8 @@ optional_policy(`
+ optional_policy(`
+ cron_manage_log_files(syslogd_t)
+ cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
++ cron_generic_log_filetrans_log(syslogd_t, file, "cron")
++
+ ')
+
+ optional_policy(`
+@@ -502,15 +581,40 @@ optional_policy(`
')
optional_policy(`
@@ -32055,7 +32116,7 @@ index 39ea221..e2be79a 100644
')
optional_policy(`
-@@ -521,3 +623,26 @@ optional_policy(`
+@@ -521,3 +625,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 49f98ce..a5fd50f 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -538,7 +538,7 @@ index 058d908..ff0f9c2 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..0560e0a 100644
+index cc43d25..b06463f 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -774,7 +774,7 @@ index cc43d25..0560e0a 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,39 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,40 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -811,13 +811,14 @@ index cc43d25..0560e0a 100644
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
++miscfiles_dontaudit_access_check_cert(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +233,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +234,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -834,7 +835,7 @@ index cc43d25..0560e0a 100644
')
optional_policy(`
-@@ -209,6 +245,20 @@ optional_policy(`
+@@ -209,6 +246,20 @@ optional_policy(`
')
optional_policy(`
@@ -855,7 +856,7 @@ index cc43d25..0560e0a 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +270,7 @@ optional_policy(`
+@@ -220,6 +271,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -863,7 +864,7 @@ index cc43d25..0560e0a 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +281,7 @@ optional_policy(`
+@@ -230,6 +282,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -871,7 +872,7 @@ index cc43d25..0560e0a 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +292,17 @@ optional_policy(`
+@@ -240,9 +293,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -890,7 +891,7 @@ index cc43d25..0560e0a 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +313,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +314,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -905,7 +906,7 @@ index cc43d25..0560e0a 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +332,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +333,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -913,7 +914,7 @@ index cc43d25..0560e0a 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +341,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +342,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -934,7 +935,7 @@ index cc43d25..0560e0a 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +362,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +363,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -961,7 +962,7 @@ index cc43d25..0560e0a 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +398,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +399,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -975,7 +976,7 @@ index cc43d25..0560e0a 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +416,11 @@ optional_policy(`
+@@ -330,10 +417,11 @@ optional_policy(`
#######################################
#
@@ -989,7 +990,7 @@ index cc43d25..0560e0a 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +439,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +440,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1051,7 +1052,7 @@ index cc43d25..0560e0a 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +497,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +498,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1068,7 +1069,7 @@ index cc43d25..0560e0a 100644
#
-kernel_read_system_state(abrt_domain)
-+allow abrt_upload_watch_t self:capability dac_override;
++allow abrt_upload_watch_t self:capability { dac_override chown };
-files_read_etc_files(abrt_domain)
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -7853,10 +7854,10 @@ index 0000000..316c324
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
-index 0000000..f2aa4e6
+index 0000000..362a049
--- /dev/null
+++ b/authconfig.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
@@ -7885,6 +7886,7 @@ index 0000000..f2aa4e6
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
++domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
@@ -27480,10 +27482,10 @@ index fd02acc..0000000
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index e39de43..4c8113b 100644
+index e39de43..6a6db28 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,15 +1,59 @@
+@@ -1,15 +1,61 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -27497,6 +27499,7 @@ index e39de43..4c8113b 100644
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.nv/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@@ -27505,6 +27508,7 @@ index e39de43..4c8113b 100644
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.cache/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
@@ -27553,7 +27557,7 @@ index e39de43..4c8113b 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..89a7bb92 100644
+index d03fd43..74170f8 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
@@ -28616,7 +28620,7 @@ index d03fd43..89a7bb92 100644
##
##
##
-@@ -704,12 +778,912 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +778,913 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -29165,6 +29169,7 @@ index d03fd43..89a7bb92 100644
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
@@ -31411,10 +31416,10 @@ index 0000000..e2ae3b2
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
new file mode 100644
-index 0000000..17c3627
+index 0000000..b7ca833
--- /dev/null
+++ b/hypervkvp.if
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,134 @@
+
+## policy for hypervkvp
+
@@ -31496,6 +31501,29 @@ index 0000000..17c3627
+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
++#######################################
++##
++## Execute hypervkvp server in the hypervkvp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`hypervkvp_systemctl',`
++ gen_require(`
++ type hypervkvp_t;
++ type hypervkvp_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 hypervkvp_unit_file_t:file read_file_perms;
++ allow $1 hypervkvp_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, hypervkvp_t)
++ ')
++
+########################################
+##
+## All of the rules required to administrate
@@ -41697,16 +41725,16 @@ index 0000000..7415106
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
-index 0000000..1b1b04c
+index 0000000..39f4a04
--- /dev/null
+++ b/motion.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,197 @@
+
+## Detect motion using a video4linux device
+
+########################################
+##
-+## Execute TEMPLATE in the motion domain.
++## Execute motion in the motion domain.
+##
+##
+##
@@ -41837,7 +41865,7 @@ index 0000000..1b1b04c
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
++ systemd_read_fifo_file_passwd_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
+
@@ -41877,12 +41905,16 @@ index 0000000..1b1b04c
+ gen_require(`
+ type motion_t;
+ type motion_log_t;
-+ type motion_unit_file_t;
++ type motion_unit_file_t;
+ ')
+
-+ allow $1 motion_t:process { ptrace signal_perms };
++ allow $1 motion_t:process { signal_perms };
+ ps_process_pattern($1, motion_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 motion_t:process ptrace;
++ ')
++
+ logging_search_logs($1)
+ admin_pattern($1, motion_log_t)
+
@@ -44208,6 +44240,36 @@ index 9aca704..f92829c 100644
allow mplayer_t mplayer_tmpfs_t:file execute;
')
+diff --git a/mrtg.if b/mrtg.if
+index c595094..2346458 100644
+--- a/mrtg.if
++++ b/mrtg.if
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ##
++## Read mrtg lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mrtg_read_lib_files',`
++ gen_require(`
++ type mrtg_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
++')
++
++########################################
++##
+ ## Create and append mrtg log files.
+ ##
+ ##
diff --git a/mrtg.te b/mrtg.te
index c97c177..9411154 100644
--- a/mrtg.te
@@ -48106,7 +48168,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..a0488ea 100644
+index 44ad3b7..39bcd98 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -48320,7 +48382,7 @@ index 44ad3b7..a0488ea 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,14 +435,18 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -48333,7 +48395,15 @@ index 44ad3b7..a0488ea 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+
++optional_policy(`
++ mrtg_read_lib_files(nagios_system_plugin_t)
++')
++
+ #######################################
+ #
+ # Event local policy
+@@ -442,11 +461,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -57682,7 +57752,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..d40a4ee 100644
+index 7bcf327..6fa25ba 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -57706,7 +57776,7 @@ index 7bcf327..d40a4ee 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,290 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,291 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -57863,6 +57933,7 @@ index 7bcf327..d40a4ee 100644
+dev_read_urand(pegasus_openlmi_system_t)
+
+systemd_config_power_services(pegasus_openlmi_system_t)
++systemd_dbus_chat_logind(pegasus_openlmi_system_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_system_t)
@@ -58002,7 +58073,7 @@ index 7bcf327..d40a4ee 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +323,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +324,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -58033,7 +58104,7 @@ index 7bcf327..d40a4ee 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +349,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +350,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -58066,7 +58137,7 @@ index 7bcf327..d40a4ee 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +377,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +378,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -58078,7 +58149,7 @@ index 7bcf327..d40a4ee 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +393,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +394,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -58114,7 +58185,7 @@ index 7bcf327..d40a4ee 100644
')
optional_policy(`
-@@ -151,16 +427,24 @@ optional_policy(`
+@@ -151,16 +428,24 @@ optional_policy(`
')
optional_policy(`
@@ -58143,7 +58214,7 @@ index 7bcf327..d40a4ee 100644
')
optional_policy(`
-@@ -168,7 +452,7 @@ optional_policy(`
+@@ -168,7 +453,7 @@ optional_policy(`
')
optional_policy(`
@@ -71491,7 +71562,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index 2c1730b..4699a1e 100644
+index 2c1730b..4fae3d2 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -71510,7 +71581,7 @@ index 2c1730b..4699a1e 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
+@@ -25,43 +34,64 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -71549,10 +71620,12 @@ index 2c1730b..4699a1e 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +69,29 @@ corecmd_exec_shell(mdadm_t)
+
dev_rw_sysfs(mdadm_t)
- dev_dontaudit_getattr_all_blk_files(mdadm_t)
- dev_dontaudit_getattr_all_chr_files(mdadm_t)
+-dev_dontaudit_getattr_all_blk_files(mdadm_t)
+-dev_dontaudit_getattr_all_chr_files(mdadm_t)
++dev_dontaudit_read_all_blk_files(mdadm_t)
++dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
@@ -74836,7 +74909,7 @@ index 56bc01f..f1ee87e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..de2014c 100644
+index 2c2de9a..f8b98bd 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -75175,7 +75248,7 @@ index 2c2de9a..de2014c 100644
+logging_send_syslog_msg(dlm_controld_t)
+
+optional_policy(`
-+ corosync_rw_tmpfs(dlm_controld_t)
++ rhcs_rw_cluster_tmpfs(dlm_controld_t)
+')
+
+optional_policy(`
@@ -75850,7 +75923,7 @@ index 0000000..0e965c3
+ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905..78746ef 100644
+index 6dbc905..4b17c93 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@@ -75955,14 +76028,33 @@ index 6dbc905..78746ef 100644
##
-## Connect to rhsmcertd with a
-## unix domain stream socket.
-+## Read/wirte inherited lock files.
++## Read rhsmcertd PID files.
##
##
##
-@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',`
##
##
#
++interface(`rhsmcertd_manage_pid_files',`
++ gen_require(`
++ type rhsmcertd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++')
++
++########################################
++##
++## Read/wirte inherited lock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`rhsmcertd_rw_inherited_lock_files',`
+ gen_require(`
+ type rhsmcertd_lock_t;
@@ -75986,7 +76078,7 @@ index 6dbc905..78746ef 100644
interface(`rhsmcertd_stream_connect',`
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
-@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
+@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
##
@@ -76030,7 +76122,7 @@ index 6dbc905..78746ef 100644
##
##
##
-@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
##
##
##
@@ -76062,24 +76154,24 @@ index 6dbc905..78746ef 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
-
-- logging_search_logs($1)
-- admin_pattern($1, rhsmcertd_log_t)
++
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
-- files_search_var_lib($1)
-- admin_pattern($1, rhsmcertd_var_lib_t)
+- logging_search_logs($1)
+- admin_pattern($1, rhsmcertd_log_t)
+ logging_search_logs($1)
+ admin_pattern($1, rhsmcertd_log_t)
-- files_search_pids($1)
-- admin_pattern($1, rhsmcertd_var_run_t)
+- files_search_var_lib($1)
+- admin_pattern($1, rhsmcertd_var_lib_t)
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
-+
+
+- files_search_pids($1)
+- admin_pattern($1, rhsmcertd_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
@@ -77336,7 +77428,7 @@ index 3bd6446..eec0a35 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..022f7fc 100644
+index e5212e6..dba369f 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -77638,6 +77730,15 @@ index e5212e6..022f7fc 100644
')
########################################
+@@ -263,7 +217,7 @@ optional_policy(`
+ # GSSD local policy
+ #
+
+-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
++allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+
@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -77646,7 +77747,7 @@ index e5212e6..022f7fc 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +234,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +234,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -77668,6 +77769,7 @@ index e5212e6..022f7fc 100644
miscfiles_read_generic_certs(gssd_t)
userdom_signal_all_users(gssd_t)
++userdom_manage_all_users_keys(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`
@@ -77679,7 +77781,7 @@ index e5212e6..022f7fc 100644
')
optional_policy(`
-@@ -306,8 +265,11 @@ optional_policy(`
+@@ -306,8 +266,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -79963,10 +80065,10 @@ index 0000000..0ec3302
+')
diff --git a/rtas.te b/rtas.te
new file mode 100644
-index 0000000..4e6663f
+index 0000000..52a39f8
--- /dev/null
+++ b/rtas.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,62 @@
+policy_module(rtas, 1.0.0)
+
+########################################
@@ -79995,7 +80097,7 @@ index 0000000..4e6663f
+# rtas_errd local policy
+#
+
-+allow rtas_errd_t self:capability sys_admin;
++allow rtas_errd_t self:capability { chown sys_admin };
+allow rtas_errd_t self:process fork;
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
@@ -80020,6 +80122,8 @@ index 0000000..4e6663f
+
+corecmd_exec_bin(rtas_errd_t)
+
++dev_read_rand(rtas_errd_t)
++dev_read_urand(rtas_errd_t)
+dev_read_raw_memory(rtas_errd_t)
+dev_write_raw_memory(rtas_errd_t)
+
@@ -87111,7 +87215,7 @@ index 0000000..ad232be
+ mount_domtrans(snapperd_t)
+')
diff --git a/snmp.fc b/snmp.fc
-index c73fa24..408ff61 100644
+index c73fa24..50d80f4 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,6 +1,6 @@
@@ -87130,10 +87234,11 @@ index c73fa24..408ff61 100644
/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
+-/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
- /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
--/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
++/var/run/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
@@ -87428,7 +87533,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..46a794b 100644
+index 703efa3..1a35702 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -87591,7 +87696,7 @@ index 703efa3..46a794b 100644
')
optional_policy(`
-@@ -131,13 +190,33 @@ optional_policy(`
+@@ -131,13 +190,34 @@ optional_policy(`
')
optional_policy(`
@@ -87607,6 +87712,7 @@ index 703efa3..46a794b 100644
- rpm_dontaudit_manage_db(sosreport_t)
- rpm_read_db(sosreport_t)
+ rhsmcertd_manage_lib_files(sosreport_t)
++ rhsmcertd_manage_pid_files(sosreport_t)
+')
+
+optional_policy(`
@@ -97664,7 +97770,7 @@ index 9dec06c..3ad56e3 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..e3c644e 100644
+index 1f22fba..af9d192 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,194 @@
@@ -98913,7 +99019,7 @@ index 1f22fba..e3c644e 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +919,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +919,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -98933,20 +99039,21 @@ index 1f22fba..e3c644e 100644
-miscfiles_read_localization(virsh_t)
+auth_read_passwd(virsh_t)
-
--sysnet_dns_name_resolve(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
+ sysnet_dns_name_resolve(virsh_t)
+
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virsh_t)
- fs_manage_fusefs_files(virsh_t)
- fs_read_fusefs_symlinks(virsh_t)
-')
-+sysnet_dns_name_resolve(virsh_t)
++userdom_stream_connect(virsh_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +954,20 @@ optional_policy(`
+@@ -847,14 +956,20 @@ optional_policy(`
')
optional_policy(`
@@ -98968,7 +99075,7 @@ index 1f22fba..e3c644e 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +992,65 @@ optional_policy(`
+@@ -879,49 +994,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -99052,7 +99159,7 @@ index 1f22fba..e3c644e 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1062,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1064,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -99072,7 +99179,7 @@ index 1f22fba..e3c644e 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1083,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1085,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -99096,7 +99203,7 @@ index 1f22fba..e3c644e 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1108,271 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1110,271 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -99129,12 +99236,12 @@ index 1f22fba..e3c644e 100644
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -99232,6 +99339,15 @@ index 1f22fba..e3c644e 100644
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
++
++optional_policy(`
++ docker_read_lib_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -99316,26 +99432,17 @@ index 1f22fba..e3c644e 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ docker_read_lib_files(svirt_sandbox_domain)
-+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+')
-+
-+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++ ssh_use_ptys(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-+ ssh_use_ptys(svirt_sandbox_domain)
++ udev_read_pid_files(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
-+ udev_read_pid_files(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
')
@@ -99363,10 +99470,6 @@ index 1f22fba..e3c644e 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem };
-+
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow svirt_lxc_net_t self:capability sys_admin;
-+')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -99378,6 +99481,13 @@ index 1f22fba..e3c644e 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
+
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -99386,16 +99496,13 @@ index 1f22fba..e3c644e 100644
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_lxc_net_t)
-
++
+dev_read_sysfs(svirt_lxc_net_t)
dev_getattr_mtrr_dev(svirt_lxc_net_t)
dev_read_rand(svirt_lxc_net_t)
@@ -99459,11 +99566,11 @@ index 1f22fba..e3c644e 100644
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
@@ -99506,7 +99613,7 @@ index 1f22fba..e3c644e 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1385,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1387,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -99521,7 +99628,7 @@ index 1f22fba..e3c644e 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1403,8 @@ optional_policy(`
+@@ -1183,9 +1405,8 @@ optional_policy(`
########################################
#
@@ -99532,7 +99639,7 @@ index 1f22fba..e3c644e 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1417,198 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1419,198 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a532f37..3ea8db9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 115%{?dist}
+Release: 116%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 13 2014 Miroslav Grepl 3.12.1-116
+- Add missing files_create_var_lib_dirs()
+- Fix typo in ipsec.te
+- Allow passwd to create directory in /var/lib
+- Add filename trans also for event21
+- Allow iptables command to read /dev/rand
+- Add sigkill capabilityfor ipsec_t
+- Add filename transitions for bcache devices
+- Add additional rules to create /var/log/cron by syslogd_t with correct labeling
+- Add give everyone full access to all key rings
+- Add default lvm_var_run_t label for /var/run/multipathd
+- Fix log labeling to have correct default label for them after logrotate
+- Labeled ~/.nv/GLCache as being gstreamer output
+- Allow nagios_system_plugin to read mrtg lib files
+- Add mrtg_read_lib_files()
+- Call rhcs_rw_cluster_tmpfs for dlm_controld
+- Make authconfing as named_filetrans domain
+- Allow virsh to connect to user process using stream socket
+- Allow rtas_errd to read rand/urand devices and add chown capability
+- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp
+- Add also chown cap for abrt_upload_watch_t. It already has dac_override
+- Allow sosreport to manage rhsmcertd pid files
+- Add rhsmcertd_manage_pid_files()
+- Allow also setgid cap for rpc.gssd
+- Dontaudit access check for abrt on cert_t
+- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind
+
* Fri Jan 10 2014 Miroslav Grepl 3.12.1-115
- Fix semanage import handling in spec file