[selinux-policy/f17] * Fri Mar 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0- - Ensure lastlog is labeled correctly -

Fri Mar 30 08:35:51 UTC 2012

commit bbb38db30eacf6c4d912777e720fa7e788595539
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Mar 30 10:35:31 2012 +0200

    * Fri Mar 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-
    - Ensure lastlog is labeled correctly
    - Allow accountsd to read /proc data about gdm
    - Add fixes for tuned
    - Add bcfg2 fixes which were discovered during RHEL6 testing
    - More fixes for gnome-keyring socket being moved
    - Run semanage as a unconfined domain, and allow initrc_t to
    - Fix description for files_dontaudit_read_security_files()

 policy-F16.patch    |  496 ++++++++++++++++++++++++++++++++-------------------
 selinux-policy.spec |   11 +-
 2 files changed, 323 insertions(+), 184 deletions(-)
---

diff --git a/policy-F16.patch b/policy-F16.patch
index f2b98da..1423ae9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -60210,14 +60210,60 @@ index e0791b9..9f49d01 100644
 +	term_dontaudit_use_all_ptys(traceroute_t)
 +')
 diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..59ee69c 100644
+index f68b573..30b3188 100644
 --- a/policy/modules/admin/passenger.if
 +++ b/policy/modules/admin/passenger.if
-@@ -37,3 +37,25 @@ interface(`passenger_read_lib_files',`
+@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
+ 	domtrans_pattern($1, passenger_exec_t, passenger_t)
+ ')
+ 
++######################################
++## <summary>
++##	Execute passenger in the current domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`passenger_exec',`
++	gen_require(`
++		type passenger_exec_t;
++	')
++
++	can_exec($1, passenger_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Read passenger lib files
+@@ -37,3 +55,46 @@ interface(`passenger_read_lib_files',`
  	read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
  	files_search_var_lib($1)
  ')
 +
++########################################
++## <summary>
++##	Manage passenger lib files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`passenger_manage_lib_files',`
++	gen_require(`
++		type passenger_var_lib_t;
++	')
++
++	manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++	manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++	manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++	files_search_var_lib($1)
++')
++
 +#####################################
 +## <summary>
 +##  Manage passenger var_run content.
@@ -63752,10 +63798,10 @@ index 00a19e3..3681873 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c33e026 100644
+index f5afe78..2111004 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,920 @@
+@@ -1,44 +1,899 @@
  ## <summary>GNU network object model environment (GNOME)</summary>
  
 -############################################################
@@ -63917,27 +63963,6 @@ index f5afe78..c33e026 100644
 +
 +########################################
 +## <summary>
-+##	Connect to gkeyringd with a unix stream socket. 
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect_all_gkeyringd',`
-+	gen_require(`
-+		attribute gkeyringd_domain;
-+		type gkeyringd_tmp_t;
-+		type gconf_tmp_t;
-+	')
-+
-+	allow $1 gconf_tmp_t:dir search_dir_perms;
-+	stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-+')
-+
-+########################################
-+## <summary>
 +##	Run gconfd in gconfd domain.
 +## </summary>
 +## <param name="domain">
@@ -64694,7 +64719,7 @@ index f5afe78..c33e026 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,37 +922,92 @@ interface(`gnome_role',`
+@@ -46,37 +901,92 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
@@ -64798,7 +64823,7 @@ index f5afe78..c33e026 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +1015,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +994,53 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
@@ -64863,7 +64888,7 @@ index f5afe78..c33e026 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +1069,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1048,17 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -64885,7 +64910,7 @@ index f5afe78..c33e026 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +1087,301 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1066,301 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -71484,7 +71509,7 @@ index 223ad43..d95e720 100644
  	rsync_exec(yam_t)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..cf3cf20 100644
+index 3fae11a..d0282f6 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -71751,7 +71776,7 @@ index 3fae11a..cf3cf20 100644
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +350,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +350,12 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -71762,10 +71787,11 @@ index 3fae11a..cf3cf20 100644
 -/usr/lib64/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nfs-utils/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/oracle/xe/apps(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tuned/powersave/.*\.sh	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +364,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +365,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -71777,7 +71803,7 @@ index 3fae11a..cf3cf20 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +410,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +411,21 @@ ifdef(`distro_redhat', `
  ifdef(`distro_suse', `
  /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
@@ -71803,7 +71829,7 @@ index 3fae11a..cf3cf20 100644
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +433,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +434,13 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -76008,7 +76034,7 @@ index c19518a..04ef731 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..0833750 100644
+index ff006ea..a8c0e34 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -55,6 +55,7 @@
@@ -77584,7 +77610,7 @@ index ff006ea..0833750 100644
  ')
  
  ########################################
-@@ -6117,3 +6899,320 @@ interface(`files_unconfined',`
+@@ -6117,3 +6899,324 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -77744,7 +77770,11 @@ index ff006ea..0833750 100644
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
++## <param name="object_type">
++##  <summary>
++##  Object type.
++##  </summary>
++## </param>
 +#
 +interface(`files_rw_all_inherited_files',`
 +	gen_require(`
@@ -84068,7 +84098,7 @@ index c0f858d..10a0cd6 100644
 +	allow $1 accountsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..3d2ca4c 100644
+index 1632f10..1204d7f 100644
 --- a/policy/modules/services/accountsd.te
 +++ b/policy/modules/services/accountsd.te
 @@ -1,5 +1,9 @@
@@ -84126,12 +84156,13 @@ index 1632f10..3d2ca4c 100644
  
  miscfiles_read_localization(accountsd_t)
  
-@@ -55,3 +70,8 @@ optional_policy(`
+@@ -55,3 +70,9 @@ optional_policy(`
  optional_policy(`
  	policykit_dbus_chat(accountsd_t)
  ')
 +
 +optional_policy(`
++	xserver_read_state_xdm(accountsd_t)
 +	xserver_dbus_chat_xdm(accountsd_t)
 +	xserver_manage_xdm_etc_files(accountsd_t)
 +')
@@ -85487,10 +85518,10 @@ index 6480167..4fc1968 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..0a79c81 100644
+index 3136c6a..639f834 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
-@@ -18,136 +18,240 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,247 @@ policy_module(apache, 2.2.1)
  # Declarations
  #
  
@@ -85696,6 +85727,13 @@ index 3136c6a..0a79c81 100644
 +
 +## <desc>
 +##	<p>
++##	Allow Apache to run in stickshift mode, not transition to passenger
++##	</p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
++## <desc>
++##	<p>
 +##	Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
 +##	</p>
  ## </desc>
@@ -85787,7 +85825,7 @@ index 3136c6a..0a79c81 100644
  attribute httpd_script_exec_type;
  attribute httpd_user_script_exec_type;
  
-@@ -166,7 +270,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +277,7 @@ files_type(httpd_cache_t)
  
  # httpd_config_t is the type given to the configuration files
  type httpd_config_t;
@@ -85796,7 +85834,7 @@ index 3136c6a..0a79c81 100644
  
  type httpd_helper_t;
  type httpd_helper_exec_t;
-@@ -177,6 +281,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +288,9 @@ role system_r types httpd_helper_t;
  type httpd_initrc_exec_t;
  init_script_file(httpd_initrc_exec_t)
  
@@ -85806,7 +85844,7 @@ index 3136c6a..0a79c81 100644
  type httpd_lock_t;
  files_lock_file(httpd_lock_t)
  
-@@ -216,7 +323,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +330,21 @@ files_tmp_file(httpd_suexec_tmp_t)
  
  # setup the system domain for system CGI scripts
  apache_content_template(sys)
@@ -85829,7 +85867,7 @@ index 3136c6a..0a79c81 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -226,6 +347,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +354,10 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -85840,7 +85878,7 @@ index 3136c6a..0a79c81 100644
  userdom_user_home_content(httpd_user_content_t)
  userdom_user_home_content(httpd_user_htaccess_t)
  userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +358,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +365,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
  userdom_user_home_content(httpd_user_rw_content_t)
  typeattribute httpd_user_script_t httpd_script_domains;
  typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -85848,7 +85886,7 @@ index 3136c6a..0a79c81 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +380,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +387,23 @@ files_type(httpd_var_lib_t)
  type httpd_var_run_t;
  files_pid_file(httpd_var_run_t)
  
@@ -85872,7 +85910,7 @@ index 3136c6a..0a79c81 100644
  ########################################
  #
  # Apache server local policy
-@@ -281,11 +416,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +423,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow httpd_t self:tcp_socket create_stream_socket_perms;
  allow httpd_t self:udp_socket create_socket_perms;
@@ -85886,7 +85924,7 @@ index 3136c6a..0a79c81 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +466,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +473,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -85897,7 +85935,7 @@ index 3136c6a..0a79c81 100644
  
  manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +477,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +484,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  
@@ -85908,7 +85946,7 @@ index 3136c6a..0a79c81 100644
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
  manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +494,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +501,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -85918,7 +85956,7 @@ index 3136c6a..0a79c81 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +507,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +514,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -85936,7 +85974,7 @@ index 3136c6a..0a79c81 100644
  
  dev_read_sysfs(httpd_t)
  dev_read_rand(httpd_t)
-@@ -378,12 +525,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +532,12 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -85952,7 +85990,7 @@ index 3136c6a..0a79c81 100644
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -391,6 +538,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +545,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
  files_read_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
@@ -85960,7 +85998,7 @@ index 3136c6a..0a79c81 100644
  files_read_var_lib_files(httpd_t)
  files_search_home(httpd_t)
  files_getattr_home_dir(httpd_t)
-@@ -402,48 +550,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +557,101 @@ files_read_etc_files(httpd_t)
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -86064,7 +86102,7 @@ index 3136c6a..0a79c81 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +657,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +664,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -86122,7 +86160,7 @@ index 3136c6a..0a79c81 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +715,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +722,16 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -86139,7 +86177,7 @@ index 3136c6a..0a79c81 100644
  ')
  
  tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +739,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +746,19 @@ tunable_policy(`httpd_ssi_exec',`
  # to run correctly without this permission, so the permission
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
@@ -86160,7 +86198,7 @@ index 3136c6a..0a79c81 100644
  ')
  
  optional_policy(`
-@@ -513,7 +763,13 @@ optional_policy(`
+@@ -513,7 +770,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -86175,7 +86213,7 @@ index 3136c6a..0a79c81 100644
  ')
  
  optional_policy(`
-@@ -528,7 +784,19 @@ optional_policy(`
+@@ -528,7 +791,19 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -86196,7 +86234,7 @@ index 3136c6a..0a79c81 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +805,13 @@ optional_policy(`
+@@ -537,8 +812,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -86211,7 +86249,7 @@ index 3136c6a..0a79c81 100644
  	')
  ')
  
-@@ -556,7 +829,21 @@ optional_policy(`
+@@ -556,7 +836,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -86233,7 +86271,7 @@ index 3136c6a..0a79c81 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +854,7 @@ optional_policy(`
+@@ -567,6 +861,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -86241,13 +86279,22 @@ index 3136c6a..0a79c81 100644
  ')
  
  optional_policy(`
-@@ -577,6 +865,20 @@ optional_policy(`
+@@ -577,6 +872,29 @@ optional_policy(`
  ')
  
  optional_policy(`
-+	passenger_domtrans(httpd_t)
-+	passenger_manage_pid_content(httpd_t)
-+	passenger_read_lib_files(httpd_t)
++	tunable_policy(`httpd_run_stickshift', `
++		allow httpd_t self:capability sys_resource;
++		allow httpd_t self:capability { fowner fsetid };
++		allow httpd_t self:process setexec;
++		passenger_exec(httpd_t)
++		passenger_manage_pid_content(httpd_t)
++		passenger_manage_lib_files(httpd_t)
++	',`
++		passenger_domtrans(httpd_t)
++		passenger_manage_pid_content(httpd_t)
++		passenger_read_lib_files(httpd_t)
++	')
 +')
 +
 +optional_policy(`
@@ -86262,7 +86309,7 @@ index 3136c6a..0a79c81 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -591,6 +893,11 @@ optional_policy(`
+@@ -591,6 +909,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -86274,7 +86321,7 @@ index 3136c6a..0a79c81 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -603,6 +910,12 @@ optional_policy(`
+@@ -603,6 +926,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -86287,7 +86334,7 @@ index 3136c6a..0a79c81 100644
  ########################################
  #
  # Apache helper local policy
-@@ -616,7 +929,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +945,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -86300,7 +86347,7 @@ index 3136c6a..0a79c81 100644
  
  ########################################
  #
-@@ -654,28 +971,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +987,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -86344,7 +86391,7 @@ index 3136c6a..0a79c81 100644
  ')
  
  ########################################
-@@ -685,6 +1004,8 @@ optional_policy(`
+@@ -685,6 +1020,8 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -86353,7 +86400,7 @@ index 3136c6a..0a79c81 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1020,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1036,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -86379,7 +86426,7 @@ index 3136c6a..0a79c81 100644
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1066,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1082,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -86412,7 +86459,7 @@ index 3136c6a..0a79c81 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1113,25 @@ optional_policy(`
+@@ -769,6 +1129,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -86438,7 +86485,7 @@ index 3136c6a..0a79c81 100644
  ########################################
  #
  # Apache system script local policy
-@@ -789,12 +1152,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1168,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -86456,7 +86503,7 @@ index 3136c6a..0a79c81 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,18 +1171,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1187,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -86513,7 +86560,7 @@ index 3136c6a..0a79c81 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1222,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1238,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -86544,7 +86591,7 @@ index 3136c6a..0a79c81 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1257,20 @@ optional_policy(`
+@@ -842,10 +1273,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -86565,7 +86612,7 @@ index 3136c6a..0a79c81 100644
  ')
  
  ########################################
-@@ -891,11 +1316,135 @@ optional_policy(`
+@@ -891,11 +1332,135 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -87614,10 +87661,10 @@ index a7a0e71..3b01eed 100644
  
 diff --git a/policy/modules/services/bcfg2.fc b/policy/modules/services/bcfg2.fc
 new file mode 100644
-index 0000000..97fa279
+index 0000000..6befaac
 --- /dev/null
 +++ b/policy/modules/services/bcfg2.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,9 @@
 +/etc/rc\.d/init\.d/bcfg2	--	gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
 +
 +/usr/lib/systemd/system/bcfg2-server.service		--	gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
@@ -87625,6 +87672,8 @@ index 0000000..97fa279
 +/usr/sbin/bcfg2-server		--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
 +
 +/var/lib/bcfg2(/.*)?		gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
++
++/var/run/bcfg2-server\.pid          --      gen_context(system_u:object_r:bcfg2_var_run_t,s0)
 diff --git a/policy/modules/services/bcfg2.if b/policy/modules/services/bcfg2.if
 new file mode 100644
 index 0000000..e71ebe1
@@ -87818,10 +87867,10 @@ index 0000000..e71ebe1
 +')
 diff --git a/policy/modules/services/bcfg2.te b/policy/modules/services/bcfg2.te
 new file mode 100644
-index 0000000..5fbce5c
+index 0000000..7c301dc
 --- /dev/null
 +++ b/policy/modules/services/bcfg2.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,55 @@
 +policy_module(bcfg2, 1.0.0)
 +
 +########################################
@@ -87842,17 +87891,25 @@ index 0000000..5fbce5c
 +type bcfg2_unit_file_t;
 +systemd_unit_file(bcfg2_unit_file_t)
 +
++type bcfg2_var_run_t;
++files_pid_file(bcfg2_var_run_t)
++
 +########################################
 +#
 +# bcfg2 local policy
 +#
++
 +allow bcfg2_t self:fifo_file rw_fifo_file_perms;
++allow bcfg2_t self:tcp_socket create_stream_socket_perms;
 +allow bcfg2_t self:unix_stream_socket { connectto create_stream_socket_perms };
 +
 +manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
 +manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
 +files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, { dir file })
 +
++manage_files_pattern(bcfg2_t, bcfg2_var_run_t,bcfg2_var_run_t)
++files_pid_filetrans(bcfg2_t,bcfg2_var_run_t, { file })
++
 +kernel_read_system_state(bcfg2_t)
 +
 +corecmd_exec_bin(bcfg2_t)
@@ -126128,7 +126185,7 @@ index 078bcd7..21ff471 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..6ec295a 100644
+index 22adaca..31b38b7 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -126331,7 +126388,7 @@ index 22adaca..6ec295a 100644
  ')
  
  ########################################
-@@ -290,11 +323,11 @@ template(`ssh_server_template', `
+@@ -290,14 +323,15 @@ template(`ssh_server_template', `
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -126344,7 +126401,11 @@ index 22adaca..6ec295a 100644
  		type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
  		type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
  		type ssh_agent_tmp_t;
-@@ -327,17 +360,20 @@ template(`ssh_role_template',`
++		type cache_home_t;
+ 	')
+ 
+ 	##############################
+@@ -327,17 +361,20 @@ template(`ssh_role_template',`
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -126366,8 +126427,11 @@ index 22adaca..6ec295a 100644
  
  	##############################
  	#
-@@ -359,7 +395,7 @@ template(`ssh_role_template',`
+@@ -357,9 +394,10 @@ template(`ssh_role_template',`
+ 
+ 	# for ssh-add
  	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
++	stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
  
  	# Allow the user shell to signal the ssh program.
 -	allow $3 $1_ssh_agent_t:process signal;
@@ -126375,7 +126439,7 @@ index 22adaca..6ec295a 100644
  
  	# allow ps to show ssh
  	ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +417,6 @@ template(`ssh_role_template',`
+@@ -381,7 +419,6 @@ template(`ssh_role_template',`
  
  	files_read_etc_files($1_ssh_agent_t)
  	files_read_etc_runtime_files($1_ssh_agent_t)
@@ -126383,7 +126447,7 @@ index 22adaca..6ec295a 100644
  
  	libs_read_lib_files($1_ssh_agent_t)
  
-@@ -393,28 +428,15 @@ template(`ssh_role_template',`
+@@ -393,28 +430,15 @@ template(`ssh_role_template',`
  	seutil_dontaudit_read_config($1_ssh_agent_t)
  
  	# Write to the user domain tty.
@@ -126415,7 +126479,7 @@ index 22adaca..6ec295a 100644
  
  	optional_policy(`
  		nis_use_ypbind($1_ssh_agent_t)
-@@ -464,6 +486,24 @@ interface(`ssh_signal',`
+@@ -464,6 +488,24 @@ interface(`ssh_signal',`
  
  ########################################
  ## <summary>
@@ -126440,7 +126504,7 @@ index 22adaca..6ec295a 100644
  ##	Read a ssh server unnamed pipe.
  ## </summary>
  ## <param name="domain">
-@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +519,27 @@ interface(`ssh_read_pipes',`
  		type sshd_t;
  	')
  
@@ -126469,7 +126533,7 @@ index 22adaca..6ec295a 100644
  ########################################
  ## <summary>
  ##	Read and write a ssh server unnamed pipe.
-@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +555,7 @@ interface(`ssh_rw_pipes',`
  		type sshd_t;
  	')
  
@@ -126478,7 +126542,7 @@ index 22adaca..6ec295a 100644
  ')
  
  ########################################
-@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +647,24 @@ interface(`ssh_domtrans',`
  
  ########################################
  ## <summary>
@@ -126503,7 +126567,7 @@ index 22adaca..6ec295a 100644
  ##	Execute the ssh client in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +697,7 @@ interface(`ssh_setattr_key_files',`
  		type sshd_key_t;
  	')
  
@@ -126512,7 +126576,7 @@ index 22adaca..6ec295a 100644
  	files_search_pids($1)
  ')
  
-@@ -643,6 +720,42 @@ interface(`ssh_agent_exec',`
+@@ -643,6 +722,42 @@ interface(`ssh_agent_exec',`
  
  ########################################
  ## <summary>
@@ -126555,7 +126619,7 @@ index 22adaca..6ec295a 100644
  ##	Read ssh home directory content
  ## </summary>
  ## <param name="domain">
-@@ -682,6 +795,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -682,6 +797,50 @@ interface(`ssh_domtrans_keygen',`
  
  ########################################
  ## <summary>
@@ -126606,7 +126670,7 @@ index 22adaca..6ec295a 100644
  ##	Read ssh server keys
  ## </summary>
  ## <param name="domain">
-@@ -695,7 +852,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +854,7 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
@@ -126615,7 +126679,7 @@ index 22adaca..6ec295a 100644
  ')
  
  ######################################
-@@ -735,3 +892,63 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +894,63 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -126680,7 +126744,7 @@ index 22adaca..6ec295a 100644
 +	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..9a5c6a6 100644
+index 2dad3c8..007838e 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -126875,7 +126939,7 @@ index 2dad3c8..9a5c6a6 100644
  ')
  
  optional_policy(`
-+	gnome_stream_connect_all_gkeyringd(ssh_t)
++	gnome_stream_connect_gkeyringd(ssh_t)
 +')
 +
 +optional_policy(`
@@ -127911,6 +127975,23 @@ index c842cad..037dd90 100644
  
  domain_use_interactive_fds(tor_t)
  
+diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc
+index 639c962..8488152 100644
+--- a/policy/modules/services/tuned.fc
++++ b/policy/modules/services/tuned.fc
+@@ -1,8 +1,12 @@
+ /etc/rc\.d/init\.d/tuned	--	gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+ 
++/etc/tuned(/.)?				 	gen_context(system_u:object_r:tuned_etc_t,s0)
++/etc/tuned/active_profile --		gen_context(system_u:object_r:tuned_rw_etc_t,s0)
++
+ /usr/sbin/tuned			--	gen_context(system_u:object_r:tuned_exec_t,s0)
+ 
+ /var/log/tuned(/.*)?			gen_context(system_u:object_r:tuned_log_t,s0)
+ /var/log/tuned\.log		--	gen_context(system_u:object_r:tuned_log_t,s0)
+ 
++/var/run/tuned(/.*)?				gen_context(system_u:object_r:tuned_var_run_t,s0)
+ /var/run/tuned\.pid		--	gen_context(system_u:object_r:tuned_var_run_t,s0)
 diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
 index 54b8605..a04f013 100644
 --- a/policy/modules/services/tuned.if
@@ -127953,19 +128034,53 @@ index 54b8605..a04f013 100644
  	admin_pattern($1, tuned_var_run_t)
  ')
 diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..7f1a022 100644
+index db9d2a5..6f172ac 100644
 --- a/policy/modules/services/tuned.te
 +++ b/policy/modules/services/tuned.te
-@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t)
+@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
+ type tuned_initrc_exec_t;
+ init_script_file(tuned_initrc_exec_t)
+ 
++type tuned_etc_t;
++files_config_file(tuned_etc_t)
++
++type tuned_rw_etc_t;
++files_config_file(tuned_rw_etc_t)
++
+ type tuned_log_t;
+ logging_log_file(tuned_log_t)
+ 
+@@ -23,23 +29,34 @@ files_pid_file(tuned_var_run_t)
+ # tuned local policy
  #
  
++allow tuned_t self:process signal;
++
  dontaudit tuned_t self:capability { dac_override sys_tty_config };
 +allow tuned_t self:fifo_file rw_fifo_file_perms;
++allow tuned_t self:udp_socket create_socket_perms;
++
++read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
++
++manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
  
  manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
  manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-@@ -39,7 +40,7 @@ kernel_read_system_state(tuned_t)
+-logging_log_filetrans(tuned_t, tuned_log_t, file)
++logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+ 
+ manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+-files_pid_filetrans(tuned_t, tuned_var_run_t, file)
++manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
++files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
+ 
+ corecmd_exec_shell(tuned_t)
+ corecmd_exec_bin(tuned_t)
+ 
+ kernel_read_system_state(tuned_t)
  kernel_read_network_state(tuned_t)
++kernel_rw_hotplug_sysctls(tuned_t)
++kernel_rw_vm_sysctls(tuned_t)
  
  dev_read_urand(tuned_t)
 -dev_read_sysfs(tuned_t)
@@ -127973,7 +128088,7 @@ index db9d2a5..7f1a022 100644
  # to allow cpu tuning
  dev_rw_netcontrol(tuned_t)
  
-@@ -47,6 +48,8 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +64,8 @@ files_read_etc_files(tuned_t)
  files_read_usr_files(tuned_t)
  files_dontaudit_search_home(tuned_t)
  
@@ -127982,7 +128097,7 @@ index db9d2a5..7f1a022 100644
  logging_send_syslog_msg(tuned_t)
  
  miscfiles_read_localization(tuned_t)
-@@ -58,6 +61,10 @@ optional_policy(`
+@@ -58,6 +77,10 @@ optional_policy(`
  	fstools_domtrans(tuned_t)
  ')
  
@@ -134475,7 +134590,7 @@ index 28ad538..bb13287 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..dec450c 100644
+index 73554ec..8beee5b 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -134922,7 +135037,7 @@ index 73554ec..dec450c 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -1575,87 +1808,202 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1808,204 @@ interface(`auth_relabel_login_records',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -134961,6 +135076,7 @@ index 73554ec..dec450c 100644
 +		type shadow_t;
 +		type passwd_file_t;
 +		type faillog_t;
++		type lastlog_t;
 +		type wtmp_t;
 +		type pam_var_console_t;
 +		type pam_var_run_t;
@@ -134981,6 +135097,7 @@ index 73554ec..dec450c 100644
 +	files_etc_filetrans($1, shadow_t, file, "shadow-")
 +	files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
 +	files_etc_filetrans($1, shadow_t, file, "gshadow")
++	logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
 +	logging_log_named_filetrans($1, faillog_t, file, "tallylog")
 +	logging_log_named_filetrans($1, faillog_t, file, "faillog")
 +	logging_log_named_filetrans($1, faillog_t, file, "btmp")
@@ -136898,7 +137015,7 @@ index 94fd8dd..6acffdb 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..e2c5116 100644
+index 29a9565..59ba914 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -137295,7 +137412,7 @@ index 29a9565..e2c5116 100644
  
  init_write_initctl(initrc_t)
  
-@@ -258,20 +475,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +475,33 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -137315,6 +137432,7 @@ index 29a9565..e2c5116 100644
 +files_manage_system_conf_files(initrc_t)
 +
 +fs_manage_tmpfs_dirs(initrc_t)
++fs_manage_tmpfs_symlinks(initrc_t)
 +fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
  
  corecmd_exec_all_executables(initrc_t)
@@ -137332,7 +137450,7 @@ index 29a9565..e2c5116 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +508,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +509,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -137340,7 +137458,7 @@ index 29a9565..e2c5116 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -289,8 +519,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +520,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -137351,7 +137469,7 @@ index 29a9565..e2c5116 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,17 +530,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +531,16 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -137371,7 +137489,7 @@ index 29a9565..e2c5116 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -316,6 +547,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +548,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -137379,7 +137497,7 @@ index 29a9565..e2c5116 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -323,8 +555,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +556,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -137391,7 +137509,7 @@ index 29a9565..e2c5116 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +574,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +575,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -137405,7 +137523,7 @@ index 29a9565..e2c5116 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,9 +589,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +590,12 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -137419,7 +137537,7 @@ index 29a9565..e2c5116 100644
  mcs_killall(initrc_t)
  mcs_process_set_categories(initrc_t)
  
-@@ -363,6 +604,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +605,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -137427,7 +137545,7 @@ index 29a9565..e2c5116 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -374,6 +616,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +617,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -137435,7 +137553,7 @@ index 29a9565..e2c5116 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -394,18 +637,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +638,17 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -137457,7 +137575,7 @@ index 29a9565..e2c5116 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +700,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +701,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -137468,7 +137586,7 @@ index 29a9565..e2c5116 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -478,7 +724,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +725,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -137477,7 +137595,7 @@ index 29a9565..e2c5116 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -493,6 +739,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +740,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -137485,7 +137603,7 @@ index 29a9565..e2c5116 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -513,6 +760,7 @@ ifdef(`distro_redhat',`
+@@ -513,6 +761,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -137493,7 +137611,7 @@ index 29a9565..e2c5116 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -522,8 +770,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +771,35 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -137529,7 +137647,7 @@ index 29a9565..e2c5116 100644
  	')
  
  	optional_policy(`
-@@ -531,14 +806,27 @@ ifdef(`distro_redhat',`
+@@ -531,14 +807,27 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -137557,7 +137675,7 @@ index 29a9565..e2c5116 100644
  	')
  ')
  
-@@ -549,6 +837,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +838,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -137597,7 +137715,7 @@ index 29a9565..e2c5116 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +882,8 @@ optional_policy(`
+@@ -561,6 +883,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -137606,7 +137724,7 @@ index 29a9565..e2c5116 100644
  ')
  
  optional_policy(`
-@@ -577,6 +900,7 @@ optional_policy(`
+@@ -577,6 +901,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -137614,7 +137732,7 @@ index 29a9565..e2c5116 100644
  ')
  
  optional_policy(`
-@@ -589,6 +913,17 @@ optional_policy(`
+@@ -589,6 +914,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137632,7 +137750,7 @@ index 29a9565..e2c5116 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +940,13 @@ optional_policy(`
+@@ -605,9 +941,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -137646,7 +137764,7 @@ index 29a9565..e2c5116 100644
  	')
  
  	optional_policy(`
-@@ -632,6 +971,10 @@ optional_policy(`
+@@ -632,6 +972,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137657,7 +137775,7 @@ index 29a9565..e2c5116 100644
  	gpm_setattr_gpmctl(initrc_t)
  ')
  
-@@ -649,6 +992,11 @@ optional_policy(`
+@@ -649,6 +993,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137669,7 +137787,7 @@ index 29a9565..e2c5116 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -689,6 +1037,7 @@ optional_policy(`
+@@ -689,6 +1038,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -137677,7 +137795,7 @@ index 29a9565..e2c5116 100644
  ')
  
  optional_policy(`
-@@ -706,7 +1055,13 @@ optional_policy(`
+@@ -706,7 +1056,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137691,7 +137809,7 @@ index 29a9565..e2c5116 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +1084,10 @@ optional_policy(`
+@@ -729,6 +1085,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137702,7 +137820,7 @@ index 29a9565..e2c5116 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1097,20 @@ optional_policy(`
+@@ -738,10 +1098,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137723,7 +137841,7 @@ index 29a9565..e2c5116 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1119,10 @@ optional_policy(`
+@@ -750,6 +1120,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137734,7 +137852,7 @@ index 29a9565..e2c5116 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1144,6 @@ optional_policy(`
+@@ -771,8 +1145,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -137743,7 +137861,7 @@ index 29a9565..e2c5116 100644
  ')
  
  optional_policy(`
-@@ -781,6 +1152,10 @@ optional_policy(`
+@@ -781,6 +1153,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137754,7 +137872,7 @@ index 29a9565..e2c5116 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -790,10 +1165,12 @@ optional_policy(`
+@@ -790,10 +1166,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -137767,7 +137885,7 @@ index 29a9565..e2c5116 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1182,6 @@ optional_policy(`
+@@ -805,7 +1183,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137775,7 +137893,7 @@ index 29a9565..e2c5116 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -815,11 +1191,25 @@ optional_policy(`
+@@ -815,11 +1192,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137802,7 +137920,7 @@ index 29a9565..e2c5116 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1219,18 @@ optional_policy(`
+@@ -829,6 +1220,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -137821,7 +137939,7 @@ index 29a9565..e2c5116 100644
  ')
  
  optional_policy(`
-@@ -844,6 +1246,10 @@ optional_policy(`
+@@ -844,6 +1247,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137832,7 +137950,7 @@ index 29a9565..e2c5116 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -854,3 +1260,161 @@ optional_policy(`
+@@ -854,3 +1261,161 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -142220,7 +142338,7 @@ index 170e2c7..6c56785 100644
 +	auth_relabelto_shadow($1)
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..4442617 100644
+index 7ed9819..b55eda0 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,6 +11,7 @@ gen_require(`
@@ -142491,7 +142609,7 @@ index 7ed9819..4442617 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -420,67 +471,29 @@ optional_policy(`
+@@ -420,185 +471,194 @@ optional_policy(`
  # semodule local policy
  #
  
@@ -142514,19 +142632,19 @@ index 7ed9819..4442617 100644
 -dev_read_urand(semanage_t)
 -
 -domain_use_interactive_fds(semanage_t)
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
- 
+-
 -files_read_etc_files(semanage_t)
 -files_read_etc_runtime_files(semanage_t)
 -files_read_usr_files(semanage_t)
 -files_list_pids(semanage_t)
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
  
 -mls_file_write_all_levels(semanage_t)
 -mls_file_read_all_levels(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
+ 
 -selinux_validate_context(semanage_t)
 -selinux_get_enforce_mode(semanage_t)
 -selinux_getattr_fs(semanage_t)
@@ -142535,7 +142653,9 @@ index 7ed9819..4442617 100644
 +can_exec(semanage_t, semanage_exec_t)
  
 -term_use_all_terms(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+ 
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
 -
@@ -142544,9 +142664,7 @@ index 7ed9819..4442617 100644
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
- 
+-
 -seutil_libselinux_linked(semanage_t)
  seutil_manage_file_contexts(semanage_t)
  seutil_manage_config(semanage_t)
@@ -142568,8 +142686,15 @@ index 7ed9819..4442617 100644
  
  ifdef(`distro_debian',`
  	files_read_var_lib_files(semanage_t)
-@@ -493,112 +506,161 @@ ifdef(`distro_ubuntu',`
- 	')
+ 	files_read_var_lib_symlinks(semanage_t)
+ ')
+ 
+-ifdef(`distro_ubuntu',`
+-	optional_policy(`
+-		unconfined_domain(semanage_t)
+-	')
++optional_policy(`
++	unconfined_domain(semanage_t)
  ')
  
 -########################################
@@ -142584,11 +142709,17 @@ index 7ed9819..4442617 100644
 -allow setfiles_t self:capability { dac_override dac_read_search fowner };
 -dontaudit setfiles_t self:capability sys_tty_config;
 -allow setfiles_t self:fifo_file rw_file_perms;
--
++init_dontaudit_use_fds(setsebool_t)
+ 
 -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
 -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
 -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+ 
 -kernel_read_system_state(setfiles_t)
 -kernel_relabelfrom_unlabeled_dirs(setfiles_t)
 -kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -142600,15 +142731,9 @@ index 7ed9819..4442617 100644
 -kernel_rw_unix_dgram_sockets(setfiles_t)
 -kernel_dontaudit_list_all_proc(setfiles_t)
 -kernel_dontaudit_list_all_sysctls(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
- 
+-
 -dev_relabel_all_dev_nodes(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
- 
+-
 -domain_use_interactive_fds(setfiles_t)
 -domain_dontaudit_search_all_domains_state(setfiles_t)
 -
@@ -142775,9 +142900,8 @@ index 7ed9819..4442617 100644
  	# and then relabeled afterwards; thus
  	# /dev/console has the tmpfs type
 -	fs_rw_tmpfs_chr_files(setfiles_t)
-+	fs_rw_tmpfs_chr_files(setfiles_domain)
- ')
- 
+-')
+-
 -ifdef(`distro_redhat', `
 -	fs_rw_tmpfs_chr_files(setfiles_t)
 -	fs_rw_tmpfs_blk_files(setfiles_t)
@@ -142789,8 +142913,9 @@ index 7ed9819..4442617 100644
 -	optional_policy(`
 -		unconfined_domain(setfiles_t)
 -	')
--')
--
++	fs_rw_tmpfs_chr_files(setfiles_domain)
+ ')
+ 
 -ifdef(`hide_broken_symptoms',`
 -	optional_policy(`
 -		udev_dontaudit_rw_dgram_sockets(setfiles_t)
@@ -143155,7 +143280,7 @@ index ff80d0a..22c9f0d 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..40d2d20 100644
+index 34d0ec5..cd52cdd 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -143362,7 +143487,12 @@ index 34d0ec5..40d2d20 100644
  # for /sbin/ip
  allow ifconfig_t self:packet_socket create_socket_perms;
  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +330,12 @@ dev_read_urand(ifconfig_t)
+@@ -273,11 +327,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+ dev_read_sysfs(ifconfig_t)
+ # for IPSEC setup:
+ dev_read_urand(ifconfig_t)
++# needed by tuned
++dev_rw_netcontrol(ifconfig_t)
  
  domain_use_interactive_fds(ifconfig_t)
  
@@ -143375,7 +143505,7 @@ index 34d0ec5..40d2d20 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +348,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,7 +350,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -143384,7 +143514,7 @@ index 34d0ec5..40d2d20 100644
  
  init_use_fds(ifconfig_t)
  init_use_script_ptys(ifconfig_t)
-@@ -301,11 +359,11 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +361,11 @@ logging_send_syslog_msg(ifconfig_t)
  
  miscfiles_read_localization(ifconfig_t)
  
@@ -143399,7 +143529,7 @@ index 34d0ec5..40d2d20 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -314,7 +372,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +374,18 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -143418,7 +143548,7 @@ index 34d0ec5..40d2d20 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -325,8 +394,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +396,14 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -143433,7 +143563,7 @@ index 34d0ec5..40d2d20 100644
  ')
  
  optional_policy(`
-@@ -335,7 +410,15 @@ optional_policy(`
+@@ -335,7 +412,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143450,7 +143580,7 @@ index 34d0ec5..40d2d20 100644
  ')
  
  optional_policy(`
-@@ -356,3 +439,9 @@ optional_policy(`
+@@ -356,3 +441,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9fe6871..3a5b233 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 108%{?dist}
+Release: 109%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -484,6 +484,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Mar 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-109
+- Ensure lastlog is labeled correctly
+- Allow accountsd to read /proc data about gdm
+- Add fixes for tuned
+- Add bcfg2 fixes which were discovered during RHEL6 testing
+- More fixes for gnome-keyring socket being moved
+- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
+- Fix description for files_dontaudit_read_security_files() interface
+
 * Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-108
 - Add new policy and man page for bcfg2
 - cgconfig needs to use getpw calls
