diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 99ed4bf..4ceed02 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -3452,7 +3452,7 @@ index 7590165..85186a9 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..6f006ec 100644
+index 644d4d7..c8ab679 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3649,7 +3649,7 @@ index 644d4d7..6f006ec 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',`
+@@ -241,26 +285,39 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3665,7 +3665,15 @@ index 644d4d7..6f006ec 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',`
+
+ /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-
+ /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+-/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3673,20 +3681,20 @@ index 644d4d7..6f006ec 100644
-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
++
+/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
+/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
+
+/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -269,6 +325,7 @@ ifdef(`distro_gentoo',`
+@@ -269,6 +326,7 @@ ifdef(`distro_gentoo',`
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -3694,7 +3702,7 @@ index 644d4d7..6f006ec 100644
/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -276,10 +333,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +334,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3710,7 +3718,7 @@ index 644d4d7..6f006ec 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +356,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +357,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3735,7 +3743,7 @@ index 644d4d7..6f006ec 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +389,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +390,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3764,7 +3772,7 @@ index 644d4d7..6f006ec 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -342,6 +417,7 @@ ifdef(`distro_redhat', `
+@@ -342,6 +418,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3772,7 +3780,7 @@ index 644d4d7..6f006ec 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +459,16 @@ ifdef(`distro_suse', `
+@@ -383,11 +460,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3790,7 +3798,7 @@ index 644d4d7..6f006ec 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +478,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +479,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -20880,10 +20888,10 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..4a77968 100644
+index 88d0028..e49b8da 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,87 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -20897,11 +20905,12 @@ index 88d0028..4a77968 100644
role sysadm_r;
userdom_admin_user_template(sysadm)
++allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-ifndef(`enable_mls',`
- userdom_security_admin_template(sysadm_t, sysadm_r)
-')
--
+
########################################
#
# Local policy
@@ -20980,7 +20989,7 @@ index 88d0028..4a77968 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +103,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -20995,7 +21004,7 @@ index 88d0028..4a77968 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +111,9 @@ optional_policy(`
+@@ -71,9 +113,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -21006,7 +21015,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -87,6 +127,7 @@ optional_policy(`
+@@ -87,6 +129,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -21014,7 +21023,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -110,11 +151,17 @@ optional_policy(`
+@@ -110,11 +153,17 @@ optional_policy(`
')
optional_policy(`
@@ -21032,20 +21041,20 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -122,11 +169,19 @@ optional_policy(`
+@@ -122,11 +171,19 @@ optional_policy(`
')
optional_policy(`
- consoletype_run(sysadm_t, sysadm_r)
+ cron_admin_role(sysadm_r, sysadm_t)
++')
++
++optional_policy(`
++ consoletype_exec(sysadm_t)
')
optional_policy(`
- cvs_exec(sysadm_t)
-+ consoletype_exec(sysadm_t)
-+')
-+
-+optional_policy(`
+ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
@@ -21054,7 +21063,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -140,6 +195,10 @@ optional_policy(`
+@@ -140,6 +197,10 @@ optional_policy(`
')
optional_policy(`
@@ -21065,7 +21074,7 @@ index 88d0028..4a77968 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +215,11 @@ optional_policy(`
+@@ -156,11 +217,11 @@ optional_policy(`
')
optional_policy(`
@@ -21079,7 +21088,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -179,6 +238,13 @@ optional_policy(`
+@@ -179,6 +240,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -21093,7 +21102,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -186,15 +252,20 @@ optional_policy(`
+@@ -186,15 +254,20 @@ optional_policy(`
')
optional_policy(`
@@ -21105,19 +21114,19 @@ index 88d0028..4a77968 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-+ kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -214,22 +285,20 @@ optional_policy(`
+@@ -214,22 +287,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -21146,7 +21155,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -241,14 +310,27 @@ optional_policy(`
+@@ -241,14 +312,28 @@ optional_policy(`
')
optional_policy(`
@@ -21161,6 +21170,7 @@ index 88d0028..4a77968 100644
optional_policy(`
+ networkmanager_filetrans_named_content(sysadm_t)
++ networkmanager_stream_connect(sysadm_t)
+')
+
+optional_policy(`
@@ -21174,7 +21184,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -256,10 +338,20 @@ optional_policy(`
+@@ -256,10 +341,20 @@ optional_policy(`
')
optional_policy(`
@@ -21195,7 +21205,7 @@ index 88d0028..4a77968 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,35 +362,41 @@ optional_policy(`
+@@ -270,35 +365,41 @@ optional_policy(`
')
optional_policy(`
@@ -21244,7 +21254,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -312,6 +410,7 @@ optional_policy(`
+@@ -312,6 +413,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -21252,7 +21262,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -319,12 +418,20 @@ optional_policy(`
+@@ -319,12 +421,20 @@ optional_policy(`
')
optional_policy(`
@@ -21274,7 +21284,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -349,7 +456,18 @@ optional_policy(`
+@@ -349,7 +459,18 @@ optional_policy(`
')
optional_policy(`
@@ -21294,7 +21304,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -360,19 +478,15 @@ optional_policy(`
+@@ -360,19 +481,15 @@ optional_policy(`
')
optional_policy(`
@@ -21316,7 +21326,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -384,10 +498,6 @@ optional_policy(`
+@@ -384,10 +501,6 @@ optional_policy(`
')
optional_policy(`
@@ -21327,7 +21337,7 @@ index 88d0028..4a77968 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +505,9 @@ optional_policy(`
+@@ -395,6 +508,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -21337,7 +21347,7 @@ index 88d0028..4a77968 100644
')
optional_policy(`
-@@ -402,31 +515,34 @@ optional_policy(`
+@@ -402,31 +518,34 @@ optional_policy(`
')
optional_policy(`
@@ -21378,7 +21388,7 @@ index 88d0028..4a77968 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +555,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +558,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21389,7 +21399,7 @@ index 88d0028..4a77968 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +575,79 @@ ifndef(`distro_redhat',`
+@@ -463,15 +578,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 9efc54b..3cc1787 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -566,7 +566,7 @@ index 058d908..cf17e67 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..721bfee 100644
+index cc43d25..9b01e12 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -802,7 +802,7 @@ index cc43d25..721bfee 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,42 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -842,13 +842,14 @@ index cc43d25..721bfee 100644
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
++miscfiles_dontaudit_write_generic_cert_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +236,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +237,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -865,7 +866,7 @@ index cc43d25..721bfee 100644
')
optional_policy(`
-@@ -209,6 +248,20 @@ optional_policy(`
+@@ -209,6 +249,20 @@ optional_policy(`
')
optional_policy(`
@@ -886,7 +887,7 @@ index cc43d25..721bfee 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -221,6 +274,11 @@ optional_policy(`
+@@ -221,6 +275,11 @@ optional_policy(`
')
optional_policy(`
@@ -898,7 +899,7 @@ index cc43d25..721bfee 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -230,6 +288,7 @@ optional_policy(`
+@@ -230,6 +289,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -906,7 +907,7 @@ index cc43d25..721bfee 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +299,17 @@ optional_policy(`
+@@ -240,9 +300,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -925,7 +926,7 @@ index cc43d25..721bfee 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +320,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +321,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -940,7 +941,7 @@ index cc43d25..721bfee 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +339,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +340,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -948,7 +949,7 @@ index cc43d25..721bfee 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +348,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +349,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -969,7 +970,7 @@ index cc43d25..721bfee 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +369,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +370,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -996,7 +997,7 @@ index cc43d25..721bfee 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +405,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +406,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1010,7 +1011,7 @@ index cc43d25..721bfee 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +423,11 @@ optional_policy(`
+@@ -330,10 +424,11 @@ optional_policy(`
#######################################
#
@@ -1024,7 +1025,7 @@ index cc43d25..721bfee 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +446,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +447,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1086,7 +1087,7 @@ index cc43d25..721bfee 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +504,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +505,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1933,16 +1934,18 @@ index 0000000..a95a4ad
+')
+
diff --git a/alsa.fc b/alsa.fc
-index 5de1e01..e5ab7ff 100644
+index 5de1e01..6620b08 100644
--- a/alsa.fc
+++ b/alsa.fc
-@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+@@ -19,4 +19,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
++/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_lock_t,s0)
++
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
@@ -2060,10 +2063,19 @@ index 708b743..cc78465 100644
+ ps_process_pattern($1, alsa_t)
')
diff --git a/alsa.te b/alsa.te
-index cda6d20..a80ddb9 100644
+index cda6d20..e1c91b5 100644
--- a/alsa.te
+++ b/alsa.te
-@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
+@@ -15,22 +15,32 @@ role alsa_roles types alsa_t;
+ type alsa_etc_rw_t;
+ files_config_file(alsa_etc_rw_t)
+
++type alsa_lock_t;
++files_lock_file(alsa_lock_t)
++
+ type alsa_tmp_t;
+ files_tmp_file(alsa_tmp_t)
+
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -2089,7 +2101,17 @@ index cda6d20..a80ddb9 100644
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
-@@ -51,7 +58,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -43,6 +53,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+
+ can_exec(alsa_t, alsa_exec_t)
+
++manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
++files_lock_filetrans(alsa_t, alsa_lock_t, file)
++
+ manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+ files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -51,7 +64,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
@@ -2103,7 +2125,7 @@ index cda6d20..a80ddb9 100644
corecmd_exec_bin(alsa_t)
-@@ -59,7 +72,6 @@ dev_read_sound(alsa_t)
+@@ -59,7 +78,6 @@ dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_write_sound(alsa_t)
@@ -2111,7 +2133,7 @@ index cda6d20..a80ddb9 100644
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
-@@ -72,8 +84,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +90,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -8504,10 +8526,10 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index 3beba2f..12cd4f6 100644
+index 3beba2f..a6d4fb0 100644
--- a/bacula.te
+++ b/bacula.te
-@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+@@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
@@ -8516,7 +8538,18 @@ index 3beba2f..12cd4f6 100644
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
-@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+
+ read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+
++manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
+ append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+ setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
++logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
+
+ manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+ manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+@@ -88,6 +90,10 @@ corenet_udp_bind_generic_node(bacula_t)
corenet_sendrecv_generic_server_packets(bacula_t)
corenet_udp_bind_generic_port(bacula_t)
@@ -8527,7 +8560,7 @@ index 3beba2f..12cd4f6 100644
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
-@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
+@@ -105,6 +111,7 @@ files_read_all_symlinks(bacula_t)
fs_getattr_xattr_fs(bacula_t)
fs_list_all(bacula_t)
@@ -8535,7 +8568,7 @@ index 3beba2f..12cd4f6 100644
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
-@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -148,9 +155,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
@@ -10460,10 +10493,10 @@ index 8de2ab9..3b41945 100644
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
-index 581c8ef..2c71b1d 100644
+index 581c8ef..2d9508e 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
-@@ -1,52 +1,143 @@
+@@ -1,52 +1,144 @@
-policy_module(cachefilesd, 1.0.1)
+###############################################################################
+#
@@ -10556,6 +10589,7 @@ index 581c8ef..2c71b1d 100644
+# rules.
+#
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
++allow cachefilesd_t self:process signal_perms;
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
@@ -10949,7 +10983,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..cc0fe4f 100644
+index 2354e21..3a07ee5 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -11038,7 +11072,7 @@ index 2354e21..cc0fe4f 100644
')
optional_policy(`
-@@ -92,11 +109,51 @@ optional_policy(`
+@@ -92,11 +109,52 @@ optional_policy(`
')
optional_policy(`
@@ -11046,6 +11080,7 @@ index 2354e21..cc0fe4f 100644
+ dirsrv_manage_config(certmonger_t)
+ dirsrv_signal(certmonger_t)
+ dirsrv_signull(certmonger_t)
++ dirsrv_stream_connect(certmonger_t)
+')
+
+optional_policy(`
@@ -11539,7 +11574,7 @@ index 0000000..7beaafe
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..b4f29e9
+index 0000000..654098e
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,249 @@
@@ -11751,7 +11786,7 @@ index 0000000..b4f29e9
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
@@ -13424,10 +13459,10 @@ index 2a71346..3a38b11 100644
')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
-index 0000000..276ea8a
+index 0000000..b71de28
--- /dev/null
+++ b/cockpit.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,8 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
@@ -13436,8 +13471,6 @@ index 0000000..276ea8a
+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
-+
-+/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 0000000..573dcae
@@ -14894,10 +14927,10 @@ index 3f2b672..8fb887d 100644
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
-index 0000000..5f97ba9
+index 0000000..d2f5c80
--- /dev/null
+++ b/conman.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
@@ -14905,6 +14938,7 @@ index 0000000..5f97ba9
+/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+
++/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
index 0000000..54b4b04
@@ -15055,10 +15089,10 @@ index 0000000..54b4b04
+')
diff --git a/conman.te b/conman.te
new file mode 100644
-index 0000000..d6b0314
+index 0000000..ccff09f
--- /dev/null
+++ b/conman.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,55 @@
+policy_module(conman, 1.0.0)
+
+########################################
@@ -15073,6 +15107,9 @@ index 0000000..d6b0314
+type conman_log_t;
+logging_log_file(conman_log_t)
+
++type conman_var_run_t;
++files_pid_file(conman_var_run_t)
++
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
@@ -15092,13 +15129,16 @@ index 0000000..d6b0314
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
++manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
++files_pid_filetrans(conman_t, conman_var_run_t, file)
++
++auth_read_passwd(conman_t)
++
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corecmd_exec_bin(conman_t)
+
-+auth_read_passwd(conman_t)
-+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
@@ -21596,7 +21636,7 @@ index a7326da..c87b5b7 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
-index bcb9770..b53e611 100644
+index bcb9770..7f0c21f 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -21617,8 +21657,14 @@ index bcb9770..b53e611 100644
corenet_all_recvfrom_netlabel(denyhosts_t)
corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
-@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
+@@ -57,13 +59,17 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
+ corenet_tcp_connect_smtp_port(denyhosts_t)
+ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
++corenet_sendrecv_sype_transport_client_packets(denyhosts_t)
++corenet_tcp_connect_sype_transport_port(denyhosts_t)
++corenet_tcp_sendrecv_sype_transport_port(denyhosts_t)
++
dev_read_urand(denyhosts_t)
+auth_use_nsswitch(denyhosts_t)
@@ -21631,7 +21677,7 @@ index bcb9770..b53e611 100644
sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
-@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -71,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
@@ -24216,10 +24262,10 @@ index 0000000..683dfdc
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..73e71c1
+index 0000000..342d8bf
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,277 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24279,7 +24325,7 @@ index 0000000..73e71c1
+#
+# docker local policy
+#
-+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service };
++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service setfcap };
+allow docker_t self:process { getattr signal_perms };
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
@@ -24335,6 +24381,7 @@ index 0000000..73e71c1
+kernel_read_network_state(docker_t)
+kernel_read_all_sysctls(docker_t)
+kernel_rw_net_sysctls(docker_t)
++kernel_setsched(docker_t)
+
+domain_use_interactive_fds(docker_t)
+
@@ -24358,6 +24405,7 @@ index 0000000..73e71c1
+
+fs_read_cgroup_files(docker_t)
+fs_read_tmpfs_symlinks(docker_t)
++fs_search_all(docker_t)
+fs_getattr_all_fs(docker_t)
+
+storage_raw_rw_fixed_disk(docker_t)
@@ -24375,6 +24423,7 @@ index 0000000..73e71c1
+mount_domtrans(docker_t)
+
+seutil_read_default_contexts(docker_t)
++seutil_read_config(docker_t)
+
+sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
@@ -29321,7 +29370,7 @@ index e0a4f46..2d17fe6 100644
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 0000000..9614520
+index 0000000..d9ea45b
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,16 @@
@@ -29340,7 +29389,7 @@ index 0000000..9614520
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 0000000..1ed97fe
@@ -38553,7 +38602,7 @@ index adfe3dc..a60b664 100644
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
-index b273d80..186cd86 100644
+index b273d80..6a07210 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,3 +1,5 @@
@@ -38562,6 +38611,12 @@ index b273d80..186cd86 100644
/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
+@@ -5,3 +7,5 @@
+ /var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
+
+ /var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
++
++/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
index d3e7fc9..f20248c 100644
--- a/keystone.if
@@ -38802,10 +38857,16 @@ index d3e7fc9..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 3494d9b..477d7b6 100644
+index 3494d9b..6009a94 100644
--- a/keystone.te
+++ b/keystone.te
-@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
+@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
+ type keystone_var_lib_t;
+ files_type(keystone_var_lib_t)
+
++type keystone_var_run_t;
++files_pid_file(keystone_var_run_t)
++
type keystone_tmp_t;
files_tmp_file(keystone_tmp_t)
@@ -38820,7 +38881,18 @@ index 3494d9b..477d7b6 100644
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
+ manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
+ files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir)
+
++manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
++manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
++files_pid_filetrans(keystone_t, keystone_var_run_t, { dir })
++
+ can_exec(keystone_t, keystone_tmp_t)
+
+ kernel_read_system_state(keystone_t)
+@@ -57,20 +68,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
@@ -44512,9 +44584,15 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..9342be3 100644
+index cb4c13d..6af07aa 100644
--- a/modemmanager.te
+++ b/modemmanager.te
+@@ -1,4 +1,4 @@
+-policy_module(modemmanager, 1.1.1)
++policy_module(modemmanager, 1.2.1)
+
+ ########################################
+ #
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -44525,9 +44603,12 @@ index cb4c13d..9342be3 100644
########################################
#
# Local policy
-@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+
kernel_read_system_state(modemmanager_t)
++corecmd_exec_bin(modemmanager_t)
++
dev_read_sysfs(modemmanager_t)
+dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
@@ -44543,6 +44624,12 @@ index cb4c13d..9342be3 100644
logging_send_syslog_msg(modemmanager_t)
+@@ -54,4 +59,5 @@ optional_policy(`
+
+ optional_policy(`
+ udev_read_db(modemmanager_t)
++ udev_manage_pid_files(modemmanager_t)
+ ')
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4..b19a6ee 100644
--- a/mojomojo.if
@@ -45876,7 +45963,7 @@ index 6194b80..7490fe3 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..7e2d4fc 100644
+index 6a306ee..80996ad 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -45885,7 +45972,7 @@ index 6a306ee..7e2d4fc 100644
########################################
#
-@@ -6,17 +6,48 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,56 @@ policy_module(mozilla, 2.7.4)
#
##
@@ -45902,6 +45989,14 @@ index 6a306ee..7e2d4fc 100644
+
+##
+##
++## Allow mozilla plugin domain to bind unreserved tcp/udp ports.
++##
++##
++
++gen_tunable(mozilla_plugin_bind_unreserved_ports, false)
++
++##
++##
+## Allow mozilla plugin to support spice protocols.
+##
+##
@@ -45939,7 +46034,7 @@ index 6a306ee..7e2d4fc 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -45949,7 +46044,7 @@ index 6a306ee..7e2d4fc 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -45983,7 +46078,7 @@ index 6a306ee..7e2d4fc 100644
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
type mozilla_tmp_t;
-@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -45994,7 +46089,7 @@ index 6a306ee..7e2d4fc 100644
########################################
#
# Local policy
-@@ -75,27 +101,30 @@ optional_policy(`
+@@ -75,27 +109,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -46038,7 +46133,7 @@ index 6a306ee..7e2d4fc 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -46146,7 +46241,7 @@ index 6a306ee..7e2d4fc 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,57 +203,76 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,57 +211,76 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -46154,8 +46249,7 @@ index 6a306ee..7e2d4fc 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
@@ -46164,7 +46258,8 @@ index 6a306ee..7e2d4fc 100644
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -46259,7 +46354,7 @@ index 6a306ee..7e2d4fc 100644
optional_policy(`
apache_read_user_scripts(mozilla_t)
-@@ -244,19 +285,12 @@ optional_policy(`
+@@ -244,19 +293,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -46281,7 +46376,7 @@ index 6a306ee..7e2d4fc 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +299,32 @@ optional_policy(`
+@@ -265,33 +307,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -46294,34 +46389,34 @@ index 6a306ee..7e2d4fc 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -46329,7 +46424,7 @@ index 6a306ee..7e2d4fc 100644
')
optional_policy(`
-@@ -300,259 +333,256 @@ optional_policy(`
+@@ -300,259 +341,256 @@ optional_policy(`
########################################
#
@@ -46413,12 +46508,12 @@ index 6a306ee..7e2d4fc 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -46596,12 +46691,12 @@ index 6a306ee..7e2d4fc 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -46732,7 +46827,7 @@ index 6a306ee..7e2d4fc 100644
')
optional_policy(`
-@@ -560,7 +590,11 @@ optional_policy(`
+@@ -560,7 +598,11 @@ optional_policy(`
')
optional_policy(`
@@ -46745,7 +46840,7 @@ index 6a306ee..7e2d4fc 100644
')
optional_policy(`
-@@ -568,108 +602,137 @@ optional_policy(`
+@@ -568,108 +610,142 @@ optional_policy(`
')
optional_policy(`
@@ -46774,7 +46869,8 @@ index 6a306ee..7e2d4fc 100644
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
@@ -46782,8 +46878,7 @@ index 6a306ee..7e2d4fc 100644
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
@@ -46884,14 +46979,18 @@ index 6a306ee..7e2d4fc 100644
- allow mozilla_plugin_config_t self:process execmem;
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
-+')
-+
-+optional_policy(`
-+ xserver_use_user_fonts(mozilla_plugin_config_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
++optional_policy(`
++ xserver_use_user_fonts(mozilla_plugin_config_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_plugin_config_t)
+- fs_manage_nfs_files(mozilla_plugin_config_t)
+- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -46902,10 +47001,10 @@ index 6a306ee..7e2d4fc 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mozilla_plugin_config_t)
-- fs_manage_nfs_files(mozilla_plugin_config_t)
-- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
@@ -46918,10 +47017,8 @@ index 6a306ee..7e2d4fc 100644
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+-optional_policy(`
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ dev_setattr_generic_usb_dev(mozilla_plugin_t)
@@ -46929,18 +47026,21 @@ index 6a306ee..7e2d4fc 100644
')
-optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+- xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+ fs_manage_dos_dirs(mozilla_plugin_t)
+ fs_manage_dos_files(mozilla_plugin_t)
- ')
-
--optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
++')
++
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
++')
++
++tunable_policy(`mozilla_plugin_bind_unreserved_ports',`
++ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
++ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..ae93e07 100644
@@ -74225,10 +74325,10 @@ index 76f5b39..8bb80a2 100644
+')
+
diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..2a8e41b 100644
+index 70ab68b..b985b65 100644
--- a/quantum.fc
+++ b/quantum.fc
-@@ -1,10 +1,31 @@
+@@ -1,10 +1,34 @@
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
@@ -74267,6 +74367,9 @@ index 70ab68b..2a8e41b 100644
+
+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
++
++/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
++/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
index afc0068..3105104 100644
--- a/quantum.if
@@ -74583,10 +74686,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..daaaf4f 100644
+index 769d1fd..de82e12 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,169 @@
+@@ -1,96 +1,176 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -74630,6 +74733,9 @@ index 769d1fd..daaaf4f 100644
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
++type neutron_var_run_t alias quantum_var_run_t;
++files_pid_file(neutron_var_run_t)
++
+type neutron_unit_file_t alias quantum_unit_file_t;
+systemd_unit_file(neutron_unit_file_t)
@@ -74703,6 +74809,10 @@ index 769d1fd..daaaf4f 100644
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
+
++manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
++
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
@@ -90001,10 +90111,10 @@ index d204752..31cc6e6 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..f3e5808 100644
+index 5e82fd6..64e130f 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,12 +9,18 @@ type sensord_t;
+@@ -9,27 +9,35 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -90023,7 +90133,10 @@ index 5e82fd6..f3e5808 100644
########################################
#
# Local policy
-@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t)
+ #
+
++allow sensord_t self:process signal;
++
allow sensord_t self:fifo_file rw_fifo_file_perms;
allow sensord_t self:unix_stream_socket create_stream_socket_perms;
@@ -91375,7 +91488,7 @@ index 1fa51c1..82e111c 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index a8b1aaf..fc0a2be 100644
+index a8b1aaf..4689a59 100644
--- a/smokeping.te
+++ b/smokeping.te
@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
@@ -91403,12 +91516,14 @@ index a8b1aaf..fc0a2be 100644
mta_send_mail(smokeping_t)
netutils_domtrans_ping(smokeping_t)
-@@ -70,6 +68,8 @@ optional_policy(`
+@@ -70,6 +68,10 @@ optional_policy(`
files_search_tmp(httpd_smokeping_cgi_script_t)
files_search_var_lib(httpd_smokeping_cgi_script_t)
+ auth_read_passwd(httpd_smokeping_cgi_script_t)
+
++ logging_send_syslog_msg(httpd_smokeping_cgi_script_t)
++
sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
@@ -94827,7 +94942,7 @@ index a240455..3dd6f00 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..eb8bb88 100644
+index 8b537aa..b400fb6 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -94919,11 +95034,12 @@ index 8b537aa..eb8bb88 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +107,34 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +107,35 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
-miscfiles_read_localization(sssd_t)
++miscfiles_dontaudit_access_check_cert(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
@@ -101053,7 +101169,7 @@ index c30da4c..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..88dcafb 100644
+index 9dec06c..d179539 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -102362,11 +102478,10 @@ index 9dec06c..88dcafb 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
- ')
-
- ########################################
- ##
--## Append virt log files.
++')
++
++########################################
++##
+## Do not audit attempts to write virt daemon unnamed pipes.
+##
+##
@@ -102382,10 +102497,11 @@ index 9dec06c..88dcafb 100644
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Append virt log files.
+## Send a sigkill to virtual machines
##
##
@@ -102797,7 +102913,7 @@ index 9dec06c..88dcafb 100644
##
##
##
-@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -102836,44 +102952,60 @@ index 9dec06c..88dcafb 100644
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
--
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+ admin_pattern($1, virt_file_type)
-+ admin_pattern($1, svirt_file_type)
-
+-
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
-+ virt_systemctl($1)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
-
-- dev_list_all_dev_nodes($1)
-- allow $1 virt_ptynode:chr_file rw_term_perms;
+ virt_stream_connect_sandbox($1)
+ virt_stream_connect_svirt($1)
+ virt_stream_connect($1)
++')
++#######################################
++##
++## Getattr on virt executable.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`virt_default_capabilities',`
++ gen_require(`
++ attribute sandbox_caps_domain;
++ ')
+
+- dev_list_all_dev_nodes($1)
+- allow $1 virt_ptynode:chr_file rw_term_perms;
++ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..50bb3f1 100644
+index 1f22fba..b3121c0 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,147 +1,209 @@
+@@ -1,147 +1,224 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.5.0)
@@ -102896,6 +103028,7 @@ index 1f22fba..50bb3f1 100644
+attribute svirt_file_type;
+attribute virt_file_type;
+attribute sandbox_net_domain;
++attribute sandbox_caps_domain;
+
+type svirt_tmp_t, svirt_file_type;
+files_tmp_file(svirt_tmp_t)
@@ -103031,35 +103164,49 @@ index 1f22fba..50bb3f1 100644
+##
+##
+gen_tunable(virt_sandbox_use_samba, false)
++
++##
++##
++## Allow sandbox containers to send audit messages
++
++##
++##
++gen_tunable(virt_sandbox_use_audit, true)
-attribute svirt_lxc_domain;
+##
+##
-+## Allow sandbox containers to send audit messages
++## Allow sandbox containers to use netlink system calls
++##
++##
++gen_tunable(virt_sandbox_use_netlink, false)
-attribute_role virt_domain_roles;
-roleattribute system_r virt_domain_roles;
++##
++##
++## Allow sandbox containers to use sys_admin system calls, for example mount
+##
+##
-+gen_tunable(virt_sandbox_use_audit, true)
++gen_tunable(virt_sandbox_use_sys_admin, false)
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
+##
+##
-+## Allow sandbox containers to use netlink system calls
++## Allow sandbox containers to use mknod system calls
+##
+##
-+gen_tunable(virt_sandbox_use_netlink, false)
++gen_tunable(virt_sandbox_use_mknod, false)
-attribute_role svirt_lxc_domain_roles;
-roleattribute system_r svirt_lxc_domain_roles;
+##
+##
-+## Allow sandbox containers to use sys_admin system calls, for example mount
++## Allow sandbox containers to use all capabilities
+##
+##
-+gen_tunable(virt_sandbox_use_sys_admin, false)
++gen_tunable(virt_sandbox_use_all_caps, false)
virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
@@ -103153,7 +103300,7 @@ index 1f22fba..50bb3f1 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -150,295 +212,130 @@ ifdef(`enable_mls',`
+@@ -150,295 +227,130 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -103524,7 +103671,7 @@ index 1f22fba..50bb3f1 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +345,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +360,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -103571,29 +103718,29 @@ index 1f22fba..50bb3f1 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +380,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +395,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
--
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +393,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +408,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -103601,7 +103748,7 @@ index 1f22fba..50bb3f1 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +401,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +416,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -103629,7 +103776,7 @@ index 1f22fba..50bb3f1 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +421,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +436,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -103662,7 +103809,7 @@ index 1f22fba..50bb3f1 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +472,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +487,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -103682,7 +103829,7 @@ index 1f22fba..50bb3f1 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +494,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +509,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -103719,7 +103866,7 @@ index 1f22fba..50bb3f1 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +522,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +537,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -103728,7 +103875,7 @@ index 1f22fba..50bb3f1 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +547,12 @@ optional_policy(`
+@@ -658,20 +562,12 @@ optional_policy(`
')
optional_policy(`
@@ -103749,7 +103896,7 @@ index 1f22fba..50bb3f1 100644
')
optional_policy(`
-@@ -684,14 +565,20 @@ optional_policy(`
+@@ -684,14 +580,20 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -103772,7 +103919,7 @@ index 1f22fba..50bb3f1 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +591,13 @@ optional_policy(`
+@@ -704,11 +606,13 @@ optional_policy(`
')
optional_policy(`
@@ -103786,7 +103933,7 @@ index 1f22fba..50bb3f1 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +608,18 @@ optional_policy(`
+@@ -719,10 +623,18 @@ optional_policy(`
')
optional_policy(`
@@ -103805,17 +103952,19 @@ index 1f22fba..50bb3f1 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +634,277 @@ optional_policy(`
+@@ -737,44 +649,277 @@ optional_policy(`
udev_read_db(virtd_t)
')
+-########################################
+-#
+-# Virsh local policy
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
- ########################################
- #
--# Virsh local policy
++########################################
++#
+# virtual domains common policy
#
+allow virt_domain self:capability2 compromise_kernel;
@@ -104027,7 +104176,7 @@ index 1f22fba..50bb3f1 100644
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@@ -104069,7 +104218,7 @@ index 1f22fba..50bb3f1 100644
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
-
++
+can_exec(virsh_t, virsh_exec_t)
virt_domtrans(virsh_t)
virt_manage_images(virsh_t)
@@ -104105,7 +104254,7 @@ index 1f22fba..50bb3f1 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +915,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +930,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -104132,7 +104281,7 @@ index 1f22fba..50bb3f1 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +935,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +950,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -104149,10 +104298,10 @@ index 1f22fba..50bb3f1 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -104166,7 +104315,7 @@ index 1f22fba..50bb3f1 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +972,20 @@ optional_policy(`
+@@ -847,14 +987,20 @@ optional_policy(`
')
optional_policy(`
@@ -104188,7 +104337,7 @@ index 1f22fba..50bb3f1 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +1010,65 @@ optional_policy(`
+@@ -879,49 +1025,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -104272,7 +104421,7 @@ index 1f22fba..50bb3f1 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1080,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1095,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -104292,7 +104441,7 @@ index 1f22fba..50bb3f1 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1101,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1116,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -104316,7 +104465,7 @@ index 1f22fba..50bb3f1 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1126,304 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1141,314 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -104345,12 +104494,12 @@ index 1f22fba..50bb3f1 100644
+optional_policy(`
+ docker_exec_lib(virtd_lxc_t)
+')
-+
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
@@ -104474,8 +104623,7 @@ index 1f22fba..50bb3f1 100644
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
-+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
@@ -104593,6 +104741,7 @@ index 1f22fba..50bb3f1 100644
+# svirt_lxc_net_t local policy
#
+virt_sandbox_domain_template(svirt_lxc_net)
++virt_default_capabilities(svirt_lxc_net_t)
+typeattribute svirt_lxc_net_t sandbox_net_domain;
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
@@ -104611,6 +104760,7 @@ index 1f22fba..50bb3f1 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem };
++manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -104629,6 +104779,17 @@ index 1f22fba..50bb3f1 100644
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_mknod',`
++ allow svirt_lxc_net_t self:capability mknod;
++')
+
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_all_caps',`
++ allow svirt_lxc_net_t self:capability all_capability_perms;
++ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
++')
+
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -104636,15 +104797,13 @@ index 1f22fba..50bb3f1 100644
+', `
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
-
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+
+kernel_read_irq_sysctls(svirt_lxc_net_t)
+kernel_read_messages(svirt_lxc_net_t)
-
++
+dev_read_sysfs(svirt_lxc_net_t)
dev_getattr_mtrr_dev(svirt_lxc_net_t)
dev_read_rand(svirt_lxc_net_t)
@@ -104714,7 +104873,8 @@ index 1f22fba..50bb3f1 100644
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
+dev_read_sysfs(svirt_qemu_net_t)
@@ -104723,8 +104883,7 @@ index 1f22fba..50bb3f1 100644
+dev_read_urand(svirt_qemu_net_t)
+
+files_read_kernel_modules(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+fs_noxattr_type(svirt_sandbox_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
@@ -104758,7 +104917,7 @@ index 1f22fba..50bb3f1 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1436,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1461,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -104773,7 +104932,7 @@ index 1f22fba..50bb3f1 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1454,8 @@ optional_policy(`
+@@ -1183,9 +1479,8 @@ optional_policy(`
########################################
#
@@ -104784,7 +104943,7 @@ index 1f22fba..50bb3f1 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1468,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1493,218 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -105003,6 +105162,8 @@ index 1f22fba..50bb3f1 100644
+optional_policy(`
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
++
++allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
@@ -108038,10 +108199,14 @@ index d837e88..910aeec 100644
userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.fc b/zabbix.fc
-index ce10cb1..38b143f 100644
+index ce10cb1..14dc7c6 100644
--- a/zabbix.fc
+++ b/zabbix.fc
-@@ -4,12 +4,17 @@
+@@ -1,15 +1,23 @@
+ /etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
+
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
@@ -108055,9 +108220,12 @@ index ce10cb1..38b143f 100644
+/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-
++
+/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
- /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
++/var/lib/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0)
+
+-/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
++/var/log/zabbix.* gen_context(system_u:object_r:zabbix_log_t,s0)
/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/zabbix.if b/zabbix.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4702921..c83599c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 179%{?dist}
+Release: 180%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 12 2014 Lukas Vrabec 3.12.1-180
+- label /usr/libexec/cockpit-agent as shell_exec_t
+- sysadm_t should be allowed to communicate with networkmanager
+- Allow sysadm_t to create netlink_tcpdiag socket
+- Label also /var/run/glusterd.socket file as gluster_var_run_t
+- Label conmans pid file as conman_var_run_t
+- Allow certmonger to stream connect to dirsrv to make ipa-server-install working.
+- Allow sensord to send a signal.
+- Dontaudit attempts to access check cert dirs/files for sssd.
+- Label keystone var run dir (#1123013)
+- Label neutron var run dir (#1123013)
+- Allow bacula manage bacula_log_t dirs
+- Fix typo in bacula.te and add filetrans also for bacula log files.
+- docker needs more access, need back port to RHEL7
+- Allow alsa to create lock file to see if it fixes #1123423.
+- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports
+- Dontaudit write access on generic cert files. We don't audit also access check.
+- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
+- Back port modemmanager for F21.
+- docker does a getattr on all file systems
+- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
+- shell_exec_t should not be in cockip.fc
+- Allow smokeping cgi script to send syslog messages (#1122163)
+- Allow cachefilesd_t to send itself signals
+- Allow svirt domains to manage chr files and blk files for mknod commands
+- docker needs setfcap
+
* Wed Jul 23 2014 Lukas Vrabec 3.12.1-179
- Bluejeans wants to connect to port 5000
- Allow zabbix domains to access /proc//net/dev