[selinux-policy] - Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasl

[Miroslav Grepl]

commit 2d3bd4410330acd2d507351f44fdd748e6957f26
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Oct 22 12:08:40 2013 +0200

    - Allow sshd_t to read openshift content, needs backport to RHEL6.5
    - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
    - Make sur kdump lock is created with correct label if kdumpctl is executed
    - gnome interface calls should always be made within an optional_block
    - Allow syslogd_t to connect to the syslog_tls port
    - Add labeling for /var/run/charon.ctl socket
    - Add kdump_filetrans_named_content()
    - Allo setpgid for fenced_t
    - Allow setpgid and r/w cluster tmpfs for fenced_t
    - gnome calls should always be within optional blocks
    - wicd.pid should be labeled as networkmanager_var_run_t
    - Allow sys_resource for lldpad

 policy-rawhide-base.patch    |  223 ++++++++++++++++++++++++++---------------
 policy-rawhide-contrib.patch |  216 +++++++++++++++++++++++++---------------
 selinux-policy.spec          |   16 +++-
 3 files changed, 292 insertions(+), 163 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4cc0f25..c23bf3e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8756,7 +8756,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c8fc903 100644
+index cf04cb5..40f0157 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8893,7 +8893,7 @@ index cf04cb5..c8fc903 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,298 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,302 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -8910,6 +8910,10 @@ index cf04cb5..c8fc903 100644
 +dev_config_null_dev_service(unconfined_domain_type)
 +
 +optional_policy(`
++    kdump_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
 +	locallogin_filetrans_home_content(named_filetrans_domain)
 +')
 +
@@ -20607,7 +20611,7 @@ index fe0c682..225aaa7 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..f06e006 100644
+index 5fc0391..1386603 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
@@ -20981,7 +20985,7 @@ index 5fc0391..f06e006 100644
 +	openshift_manage_tmp_files(sshd_t)
 +	openshift_manage_tmp_sockets(sshd_t)
 +	openshift_mounton_tmp(sshd_t)
-+	openshift_search_lib(sshd_t)
++	openshift_read_lib_files(sshd_t)
 +')
 +
 +optional_policy(`
@@ -27927,7 +27931,7 @@ index 24e7804..76da5dd 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..4d15ea1 100644
+index dd3be8d..d9b6a37 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,24 @@ gen_require(`
@@ -28067,7 +28071,7 @@ index dd3be8d..4d15ea1 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +181,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -28079,6 +28083,7 @@ index dd3be8d..4d15ea1 100644
 -dev_read_sysfs(init_t)
 +dev_rw_sysfs(init_t)
 +dev_read_urand(init_t)
++dev_read_raw_memory(init_t)
  # Early devtmpfs
  dev_rw_generic_chr_files(init_t)
 +dev_filetrans_all_named_dev(init_t)
@@ -28086,7 +28091,7 @@ index dd3be8d..4d15ea1 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -28107,7 +28112,7 @@ index dd3be8d..4d15ea1 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,51 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +223,51 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -28162,7 +28167,7 @@ index dd3be8d..4d15ea1 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +275,204 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +276,204 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -28375,7 +28380,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  optional_policy(`
-@@ -216,7 +480,30 @@ optional_policy(`
+@@ -216,7 +481,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28406,7 +28411,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  ########################################
-@@ -225,8 +512,9 @@ optional_policy(`
+@@ -225,8 +513,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28418,7 +28423,7 @@ index dd3be8d..4d15ea1 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +545,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +546,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28435,7 +28440,7 @@ index dd3be8d..4d15ea1 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +570,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +571,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -28478,7 +28483,7 @@ index dd3be8d..4d15ea1 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +607,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +608,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -28490,7 +28495,7 @@ index dd3be8d..4d15ea1 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +619,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +620,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -28501,7 +28506,7 @@ index dd3be8d..4d15ea1 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +630,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +631,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -28511,7 +28516,7 @@ index dd3be8d..4d15ea1 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +639,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +640,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -28519,7 +28524,7 @@ index dd3be8d..4d15ea1 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +646,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +647,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28527,7 +28532,7 @@ index dd3be8d..4d15ea1 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +654,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +655,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -28545,7 +28550,7 @@ index dd3be8d..4d15ea1 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +672,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +673,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -28559,7 +28564,7 @@ index dd3be8d..4d15ea1 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +687,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +688,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -28573,7 +28578,7 @@ index dd3be8d..4d15ea1 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +700,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +701,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -28581,7 +28586,7 @@ index dd3be8d..4d15ea1 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +712,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +713,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -28589,7 +28594,7 @@ index dd3be8d..4d15ea1 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +731,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +732,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -28613,7 +28618,7 @@ index dd3be8d..4d15ea1 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +764,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +765,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -28621,7 +28626,7 @@ index dd3be8d..4d15ea1 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +798,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +799,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -28632,7 +28637,7 @@ index dd3be8d..4d15ea1 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +822,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +823,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -28641,7 +28646,7 @@ index dd3be8d..4d15ea1 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +837,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +838,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -28649,7 +28654,7 @@ index dd3be8d..4d15ea1 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +858,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +859,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -28657,7 +28662,7 @@ index dd3be8d..4d15ea1 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +868,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +869,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -28702,7 +28707,7 @@ index dd3be8d..4d15ea1 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +913,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +914,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -28734,7 +28739,7 @@ index dd3be8d..4d15ea1 100644
  	')
  ')
  
-@@ -576,6 +948,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +949,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -28774,7 +28779,7 @@ index dd3be8d..4d15ea1 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +993,8 @@ optional_policy(`
+@@ -588,6 +994,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -28783,7 +28788,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  optional_policy(`
-@@ -609,6 +1016,7 @@ optional_policy(`
+@@ -609,6 +1017,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -28791,7 +28796,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1033,17 @@ optional_policy(`
+@@ -625,6 +1034,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28809,7 +28814,7 @@ index dd3be8d..4d15ea1 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1060,13 @@ optional_policy(`
+@@ -641,9 +1061,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -28823,7 +28828,7 @@ index dd3be8d..4d15ea1 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1079,11 @@ optional_policy(`
+@@ -656,15 +1080,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28841,7 +28846,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1104,15 @@ optional_policy(`
+@@ -685,6 +1105,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28857,7 +28862,7 @@ index dd3be8d..4d15ea1 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1153,7 @@ optional_policy(`
+@@ -725,6 +1154,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -28865,7 +28870,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1171,13 @@ optional_policy(`
+@@ -742,7 +1172,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28880,7 +28885,7 @@ index dd3be8d..4d15ea1 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1200,10 @@ optional_policy(`
+@@ -765,6 +1201,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28891,7 +28896,7 @@ index dd3be8d..4d15ea1 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1213,20 @@ optional_policy(`
+@@ -774,10 +1214,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28912,7 +28917,7 @@ index dd3be8d..4d15ea1 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1235,10 @@ optional_policy(`
+@@ -786,6 +1236,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28923,7 +28928,7 @@ index dd3be8d..4d15ea1 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1260,6 @@ optional_policy(`
+@@ -807,8 +1261,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -28932,7 +28937,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1268,10 @@ optional_policy(`
+@@ -817,6 +1269,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28943,7 +28948,7 @@ index dd3be8d..4d15ea1 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1281,12 @@ optional_policy(`
+@@ -826,10 +1282,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -28956,7 +28961,7 @@ index dd3be8d..4d15ea1 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1313,28 @@ optional_policy(`
+@@ -856,12 +1314,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28986,7 +28991,7 @@ index dd3be8d..4d15ea1 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1344,18 @@ optional_policy(`
+@@ -871,6 +1345,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29005,7 +29010,7 @@ index dd3be8d..4d15ea1 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1371,10 @@ optional_policy(`
+@@ -886,6 +1372,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29016,7 +29021,7 @@ index dd3be8d..4d15ea1 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1385,196 @@ optional_policy(`
+@@ -896,3 +1386,196 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29214,7 +29219,7 @@ index dd3be8d..4d15ea1 100644
 +    allow direct_run_init direct_init_entry:file { getattr open read execute };
 +')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..ae5a411 100644
+index 662e79b..a199ffd 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
 @@ -1,14 +1,22 @@
@@ -29241,7 +29246,7 @@ index 662e79b..ae5a411 100644
  
  /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
  
-@@ -26,16 +34,22 @@
+@@ -26,16 +34,23 @@
  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -29259,6 +29264,7 @@ index 662e79b..ae5a411 100644
  
  /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
  
++/var/run/charon\.ctl     -s  gen_context(system_u:object_r:ipsec_var_run_t,s0)
 +/var/run/charon.*       --  gen_context(system_u:object_r:ipsec_var_run_t,s0)
  /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
  /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -29951,7 +29957,7 @@ index 5dfa44b..cafb28e 100644
  
  optional_policy(`
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..6e848de 100644
+index 73bb3c0..5b9420f 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -1,3 +1,4 @@
@@ -30017,7 +30023,12 @@ index 73bb3c0..6e848de 100644
  /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
-@@ -129,6 +138,7 @@ ifdef(`distro_redhat',`
+@@ -125,10 +134,12 @@ ifdef(`distro_redhat',`
+ /usr/lib/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/codec/librealaudio_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libtfmessbsp\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libGL\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/catalyst/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30025,7 +30036,7 @@ index 73bb3c0..6e848de 100644
  /usr/lib/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/win32/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -141,19 +151,21 @@ ifdef(`distro_redhat',`
+@@ -141,19 +152,21 @@ ifdef(`distro_redhat',`
  /usr/lib/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/fglrx/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libjs\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30052,7 +30063,7 @@ index 73bb3c0..6e848de 100644
  /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -182,11 +194,13 @@ ifdef(`distro_redhat',`
+@@ -182,11 +195,13 @@ ifdef(`distro_redhat',`
  # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
  # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
  HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30066,7 +30077,7 @@ index 73bb3c0..6e848de 100644
  /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -241,13 +255,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
+@@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
  
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
  /usr/lib.*/libmpg123\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30082,7 +30093,7 @@ index 73bb3c0..6e848de 100644
  
  # Jai, Sun Microsystems (Jpackage SPRM)
  /usr/lib/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +281,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  
  # Java, Sun Microsystems (JPackage SRPM)
  /usr/(.*/)?jre.*/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30113,7 +30124,7 @@ index 73bb3c0..6e848de 100644
  
  /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -299,17 +310,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -31322,7 +31333,7 @@ index 4e94884..9b82ed0 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..0c383ca 100644
+index 39ea221..616d6a8 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31583,15 +31594,16 @@ index 39ea221..0c383ca 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -417,6 +470,7 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
 +corenet_tcp_bind_syslog_tls_port(syslogd_t)
++corenet_tcp_connect_syslog_tls_port(syslogd_t)
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -427,9 +481,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -31619,7 +31631,7 @@ index 39ea221..0c383ca 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -442,14 +513,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t)
  files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
@@ -31639,7 +31651,7 @@ index 39ea221..0c383ca 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +537,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +538,11 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -31654,7 +31666,7 @@ index 39ea221..0c383ca 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -502,15 +578,40 @@ optional_policy(`
+@@ -502,15 +579,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31695,7 +31707,7 @@ index 39ea221..0c383ca 100644
  ')
  
  optional_policy(`
-@@ -521,3 +622,26 @@ optional_policy(`
+@@ -521,3 +623,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -35342,7 +35354,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..1f23aab 100644
+index 6944526..b82ccf1 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35481,7 +35493,48 @@ index 6944526..1f23aab 100644
  		read_files_pattern($1, net_conf_t, net_conf_t)
  	')
  ')
-@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',`
+@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',`
+ 	files_etc_filetrans($1, net_conf_t, file, $2)
+ ')
+ 
++########################################
++## <summary>
++##	Transition content to the type used for
++##	the network config files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the directory to which the object will be created.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`sysnet_filetrans_config_fromdir',`
++	gen_require(`
++		type net_conf_t;
++	')
++
++	filetrans_pattern($1, $2, net_conf_t, $3, $4)
++')
++
+ #######################################
+ ## <summary>
+ ##	Create, read, write, and delete network config files.
+@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',`
  	allow $1 net_conf_t:file manage_file_perms;
  
  	ifdef(`distro_redhat',`
@@ -35489,7 +35542,7 @@ index 6944526..1f23aab 100644
  		manage_files_pattern($1, net_conf_t, net_conf_t)
  	')
  ')
-@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',`
  		type dhcpc_var_run_t;
  	')
  
@@ -35497,7 +35550,7 @@ index 6944526..1f23aab 100644
  	allow $1 dhcpc_var_run_t:file unlink;
  ')
  
-@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',`
  
  ########################################
  ## <summary>
@@ -35523,7 +35576,7 @@ index 6944526..1f23aab 100644
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',`
  	files_search_etc($1)
  	allow $1 dhcp_etc_t:dir list_dir_perms;
  	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -35531,7 +35584,7 @@ index 6944526..1f23aab 100644
  ')
  
  ########################################
-@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',`
  	allow $1 self:udp_socket create_socket_perms;
  	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  
@@ -35540,7 +35593,7 @@ index 6944526..1f23aab 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',`
  	corenet_tcp_connect_dns_port($1)
  	corenet_sendrecv_dns_client_packets($1)
  
@@ -35549,7 +35602,7 @@ index 6944526..1f23aab 100644
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',`
  
  	allow $1 self:tcp_socket create_socket_perms;
  
@@ -35558,7 +35611,7 @@ index 6944526..1f23aab 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
  	dev_read_urand($1)
  
  	sysnet_read_config($1)
@@ -35568,7 +35621,7 @@ index 6944526..1f23aab 100644
  ')
  
  ########################################
-@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -35576,7 +35629,7 @@ index 6944526..1f23aab 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -36086,10 +36139,10 @@ index 0000000..e9f1096
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..f0fe449
+index 0000000..35b4178
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1394 @@
+@@ -0,0 +1,1400 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -37148,7 +37201,9 @@ index 0000000..f0fe449
 +		type systemd_home_t;
 +	')
 +
-+	gnome_search_gconf_data_dir($1)
++	optional_policy(`
++		gnome_search_gconf_data_dir($1)
++	')
 +	read_files_pattern($1, systemd_home_t, systemd_home_t)
 +	read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
 +')
@@ -37168,7 +37223,9 @@ index 0000000..f0fe449
 +		type systemd_home_t;
 +	')
 +
-+	gnome_search_gconf_data_dir($1)
++	optional_policy(`
++		gnome_search_gconf_data_dir($1)
++	')
 +	manage_dirs_pattern($1, systemd_home_t, systemd_home_t)
 +	manage_files_pattern($1, systemd_home_t, systemd_home_t)
 +	manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
@@ -37191,7 +37248,9 @@ index 0000000..f0fe449
 +		type systemd_home_t;
 +	')
 +
-+	gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
++	optional_policy(`
++		gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
++	')
 +')
 +
 +########################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a454f43..19aeacc 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..19bd545 100644
+index 1a82e29..e84c56d 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,367 @@
@@ -5395,7 +5395,7 @@ index 1a82e29..19bd545 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5508,6 +5508,8 @@ index 1a82e29..19bd545 100644
  logging_send_syslog_msg(httpd_t)
  
 -miscfiles_read_localization(httpd_t)
++init_dontaudit_read_utmp(httpd_t)
++
  miscfiles_read_fonts(httpd_t)
  miscfiles_read_public_files(httpd_t)
  miscfiles_read_generic_certs(httpd_t)
@@ -5626,7 +5628,7 @@ index 1a82e29..19bd545 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5686,7 +5688,7 @@ index 1a82e29..19bd545 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -5777,7 +5779,7 @@ index 1a82e29..19bd545 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5858,7 +5860,7 @@ index 1a82e29..19bd545 100644
  ')
  
  optional_policy(`
-@@ -743,14 +871,6 @@ optional_policy(`
+@@ -743,14 +873,6 @@ optional_policy(`
  	ccs_read_config(httpd_t)
  ')
  
@@ -5873,7 +5875,7 @@ index 1a82e29..19bd545 100644
  
  optional_policy(`
  	cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +885,23 @@ optional_policy(`
+@@ -765,6 +887,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5897,7 +5899,7 @@ index 1a82e29..19bd545 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +918,46 @@ optional_policy(`
+@@ -781,34 +920,46 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5955,7 +5957,7 @@ index 1a82e29..19bd545 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +965,18 @@ optional_policy(`
+@@ -816,8 +967,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5974,7 +5976,7 @@ index 1a82e29..19bd545 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +985,7 @@ optional_policy(`
+@@ -826,6 +987,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -5982,7 +5984,7 @@ index 1a82e29..19bd545 100644
  ')
  
  optional_policy(`
-@@ -836,20 +996,39 @@ optional_policy(`
+@@ -836,20 +998,39 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6028,7 +6030,7 @@ index 1a82e29..19bd545 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1036,35 @@ optional_policy(`
+@@ -857,19 +1038,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6064,7 +6066,7 @@ index 1a82e29..19bd545 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1072,170 @@ optional_policy(`
+@@ -877,65 +1074,172 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6077,6 +6079,8 @@ index 1a82e29..19bd545 100644
 +optional_policy(`
 +    zoneminder_manage_lib_dirs(httpd_t)
 +    zoneminder_manage_lib_files(httpd_t)
++    zoneminder_stream_connect(httpd_t)
++    zoneminder_exec(httpd_t)
 +')
 +
  ########################################
@@ -6257,7 +6261,7 @@ index 1a82e29..19bd545 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6412,7 +6416,7 @@ index 1a82e29..19bd545 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1328,104 @@ optional_policy(`
+@@ -1077,172 +1332,104 @@ optional_policy(`
  	')
  ')
  
@@ -6648,7 +6652,7 @@ index 1a82e29..19bd545 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1437,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -6745,7 +6749,7 @@ index 1a82e29..19bd545 100644
  
  ########################################
  #
-@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1512,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -6762,7 +6766,7 @@ index 1a82e29..19bd545 100644
  ')
  
  ########################################
-@@ -1324,49 +1524,38 @@ optional_policy(`
+@@ -1324,49 +1528,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -6827,7 +6831,7 @@ index 1a82e29..19bd545 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1569,99 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -32133,7 +32137,7 @@ index a49ae4e..0c0e987 100644
 +
 +/var/lock/kdump(/.*)?   gen_context(system_u:object_r:kdump_lock_t,s0)
 diff --git a/kdump.if b/kdump.if
-index 3a00b3a..a60cc05 100644
+index 3a00b3a..21efcc4 100644
 --- a/kdump.if
 +++ b/kdump.if
 @@ -1,4 +1,4 @@
@@ -32204,7 +32208,7 @@ index 3a00b3a..a60cc05 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -56,10 +100,68 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
  	allow $1 kdump_etc_t:file read_file_perms;
  ')
  
@@ -32228,7 +32232,6 @@ index 3a00b3a..a60cc05 100644
 +	list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
 +')
 +
-+
 +#####################################
 +## <summary>
 +##	Read kdump crash files.
@@ -32275,7 +32278,7 @@ index 3a00b3a..a60cc05 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -76,10 +178,51 @@ interface(`kdump_manage_config',`
+@@ -76,10 +177,69 @@ interface(`kdump_manage_config',`
  	allow $1 kdump_etc_t:file manage_file_perms;
  ')
  
@@ -32320,6 +32323,24 @@ index 3a00b3a..a60cc05 100644
 +	manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
 +')
 +
++#######################################
++## <summary>
++##  Transition content labels to kdump named content
++## </summary>
++## <param name="domain">
++##  <summary>
++##      Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`kdump_filetrans_named_content',`
++    gen_require(`
++        type kdump_lock_t;
++    ')
++
++    files_lock_filetrans($1, kdump_lock_t, file, "kdump")
++')
++
  ######################################
  ## <summary>
 -##	All of the rules required to
@@ -32329,7 +32350,7 @@ index 3a00b3a..a60cc05 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -88,19 +231,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +248,24 @@ interface(`kdump_manage_config',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -32359,7 +32380,7 @@ index 3a00b3a..a60cc05 100644
  
  	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -110,6 +258,10 @@ interface(`kdump_admin',`
+@@ -110,6 +275,10 @@ interface(`kdump_admin',`
  	files_search_etc($1)
  	admin_pattern($1, kdump_etc_t)
  
@@ -35163,7 +35184,7 @@ index ee0c7cc..c54e3d2 100644
 +	allow $1 slapd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index d7d9b09..b93f460 100644
+index d7d9b09..562c288 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -35176,15 +35197,6 @@ index d7d9b09..b93f460 100644
  type slapd_lock_t;
  files_lock_file(slapd_lock_t)
  
-@@ -44,7 +47,7 @@ files_pid_file(slapd_var_run_t)
- # Local policy
- #
- 
--allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
-+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search sys_resource };
- dontaudit slapd_t self:capability sys_tty_config;
- allow slapd_t self:process setsched;
- allow slapd_t self:fifo_file rw_fifo_file_perms;
 @@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
  kernel_read_system_state(slapd_t)
  kernel_read_kernel_sysctls(slapd_t)
@@ -35614,9 +35626,18 @@ index d18c960..fb5b674 100644
  	domain_system_change_exemption($1)
  	role_transition $2 lldpad_initrc_exec_t system_r;
 diff --git a/lldpad.te b/lldpad.te
-index 648def0..0b6281d 100644
+index 648def0..b17392a 100644
 --- a/lldpad.te
 +++ b/lldpad.te
+@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
+ # Local policy
+ #
+ 
+-allow lldpad_t self:capability { net_admin net_raw };
++allow lldpad_t self:capability { net_admin net_raw sys_resource };
+ allow lldpad_t self:shm create_shm_perms;
+ allow lldpad_t self:fifo_file rw_fifo_file_perms;
+ allow lldpad_t self:unix_stream_socket { accept listen };
 @@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
  
  dev_read_sysfs(lldpad_t)
@@ -39749,7 +39770,7 @@ index 6ffaba2..2c1c0e0 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..1e67988 100644
+index 6194b80..d54c5ba 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -1,146 +1,75 @@
@@ -40440,7 +40461,7 @@ index 6194b80..1e67988 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -530,45 +499,55 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +499,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -40517,7 +40538,9 @@ index 6194b80..1e67988 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
-+	gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
++	optional_policy(`
++		gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
++	')
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
@@ -46208,10 +46231,10 @@ index 56c0fbd..173a2c0 100644
  
  userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
 diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..82f8ae6 100644
+index a1fb3c3..2b818b9 100644
 --- a/networkmanager.fc
 +++ b/networkmanager.fc
-@@ -1,43 +1,44 @@
+@@ -1,43 +1,45 @@
 -/etc/rc\.d/init\.d/wicd	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
  
@@ -46277,10 +46300,11 @@ index a1fb3c3..82f8ae6 100644
  /var/run/nm-dns-dnsmasq\.conf	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 -/var/run/wpa_supplicant(/.*)?	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/nm-xl2tpd.conf.*       --  gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/wicd\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..f8893f8 100644
+index 0e8508c..ee2e3de 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
 @@ -2,7 +2,7 @@
@@ -46557,7 +46581,7 @@ index 0e8508c..f8893f8 100644
  ##	</summary>
  ## </param>
  ## <param name="role">
-@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',`
  ## </param>
  ## <rolecap/>
  #
@@ -46705,6 +46729,7 @@ index 0e8508c..f8893f8 100644
 +	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
 +	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
 +	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
++	files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
 +	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
 +	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
 +	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
@@ -49132,10 +49157,10 @@ index 0000000..22e6c96
 +/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --git a/nsplugin.if b/nsplugin.if
 new file mode 100644
-index 0000000..fce899a
+index 0000000..16f4789
 --- /dev/null
 +++ b/nsplugin.if
-@@ -0,0 +1,472 @@
+@@ -0,0 +1,474 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -49236,7 +49261,9 @@ index 0000000..fce899a
 +
 +	# Connect to pulseaudit server
 +	stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
-+	gnome_stream_connect(nsplugin_t, $2)
++	optional_policy(`
++		gnome_stream_connect(nsplugin_t, $2)
++	')
 +
 +	userdom_use_inherited_user_terminals(nsplugin_t)
 +	userdom_use_inherited_user_terminals(nsplugin_config_t)
@@ -61239,7 +61266,7 @@ index cd8b8b9..6c73980 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index b2b5dba..7b8a7d1 100644
+index b2b5dba..9bc465c 100644
 --- a/ppp.te
 +++ b/ppp.te
 @@ -1,4 +1,4 @@
@@ -61424,7 +61451,7 @@ index b2b5dba..7b8a7d1 100644
  corecmd_exec_bin(pppd_t)
  corecmd_exec_shell(pppd_t)
  
-@@ -147,36 +169,30 @@ files_exec_etc_files(pppd_t)
+@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
  files_manage_etc_runtime_files(pppd_t)
  files_dontaudit_write_etc_files(pppd_t)
  
@@ -61458,6 +61485,7 @@ index b2b5dba..7b8a7d1 100644
  sysnet_exec_ifconfig(pppd_t)
  sysnet_manage_config(pppd_t)
  sysnet_etc_filetrans_config(pppd_t)
++sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
  
 -userdom_use_user_terminals(pppd_t)
 +userdom_use_inherited_user_terminals(pppd_t)
@@ -61469,7 +61497,7 @@ index b2b5dba..7b8a7d1 100644
  
  optional_policy(`
  	ddclient_run(pppd_t, pppd_roles)
-@@ -186,11 +202,13 @@ optional_policy(`
+@@ -186,11 +203,13 @@ optional_policy(`
  	l2tpd_dgram_send(pppd_t)
  	l2tpd_rw_socket(pppd_t)
  	l2tpd_stream_connect(pppd_t)
@@ -61484,7 +61512,7 @@ index b2b5dba..7b8a7d1 100644
  	')
  ')
  
-@@ -218,16 +236,19 @@ optional_policy(`
+@@ -218,16 +237,19 @@ optional_policy(`
  
  ########################################
  #
@@ -61507,7 +61535,7 @@ index b2b5dba..7b8a7d1 100644
  
  allow pptp_t pppd_etc_t:dir list_dir_perms;
  allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
  allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
  allow pptp_t pppd_etc_rw_t:file read_file_perms;
  allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -61564,7 +61592,7 @@ index b2b5dba..7b8a7d1 100644
  fs_getattr_all_fs(pptp_t)
  fs_search_auto_mountpoints(pptp_t)
  
-@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
  term_search_ptys(pptp_t)
  term_use_ptmx(pptp_t)
  
@@ -61579,7 +61607,7 @@ index b2b5dba..7b8a7d1 100644
  sysnet_exec_ifconfig(pptp_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +318,10 @@ optional_policy(`
+@@ -299,6 +319,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71377,7 +71405,7 @@ index 56bc01f..b8d154e 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..6b7a0f6 100644
+index 2c2de9a..b978814 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -71703,7 +71731,7 @@ index 2c2de9a..6b7a0f6 100644
  allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
  
  stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,6 +366,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -71720,11 +71748,12 @@ index 2c2de9a..6b7a0f6 100644
  #######################################
  #
  # fenced local policy
-@@ -105,9 +383,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+ #
  
  allow fenced_t self:capability { sys_rawio sys_resource };
- allow fenced_t self:process { getsched signal_perms };
+-allow fenced_t self:process { getsched signal_perms };
 -allow fenced_t self:tcp_socket { accept listen };
++allow fenced_t self:process { getsched setpgid signal_perms };
 +
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
 +allow fenced_t self:udp_socket create_socket_perms;
@@ -71766,16 +71795,17 @@ index 2c2de9a..6b7a0f6 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +461,7 @@ optional_policy(`
+@@ -182,7 +461,8 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	corosync_exec(fenced_t)
 +    rhcs_exec_cluster(fenced_t)
++    rhcs_rw_cluster_tmpfs(fenced_t)
  ')
  
  optional_policy(`
-@@ -190,12 +469,12 @@ optional_policy(`
+@@ -190,12 +470,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71791,7 +71821,7 @@ index 2c2de9a..6b7a0f6 100644
  ')
  
  optional_policy(`
-@@ -203,6 +482,13 @@ optional_policy(`
+@@ -203,6 +483,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -71805,7 +71835,7 @@ index 2c2de9a..6b7a0f6 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +507,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -71826,7 +71856,7 @@ index 2c2de9a..6b7a0f6 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -257,6 +545,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -71835,7 +71865,7 @@ index 2c2de9a..6b7a0f6 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +565,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -71877,7 +71907,7 @@ index 2c2de9a..6b7a0f6 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +640,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -87123,7 +87153,7 @@ index c7de0cf..03fc880 100644
 +/usr/libexec/telepathy-stream-engine	--	gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
 +/usr/libexec/telepathy-sunshine		--	gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --git a/telepathy.if b/telepathy.if
-index 42946bc..741f2f4 100644
+index 42946bc..9f70e4c 100644
 --- a/telepathy.if
 +++ b/telepathy.if
 @@ -2,45 +2,39 @@
@@ -87396,7 +87426,7 @@ index 42946bc..741f2f4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',`
+@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',`
  ##	</summary>
  ## </param>
  #
@@ -87510,13 +87540,15 @@ index 42946bc..741f2f4 100644
 +	userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
 +	userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
 +
-+	gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
-+	gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
-+	gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
-+	gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
++	optional_policy(`
++		gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++		gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")	
++		gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
++		gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
 +
-+	gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
-+	gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
++		gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
++		gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
++	')
 +')
 +
 +######################################
@@ -88761,10 +88793,10 @@ index 0000000..5e3637e
 +')
 diff --git a/thin.te b/thin.te
 new file mode 100644
-index 0000000..ff282dc
+index 0000000..39d17b7
 --- /dev/null
 +++ b/thin.te
-@@ -0,0 +1,114 @@
+@@ -0,0 +1,115 @@
 +policy_module(thin, 1.0)
 +
 +########################################
@@ -88841,6 +88873,7 @@ index 0000000..ff282dc
 +#
 +
 +allow thin_t self:capability { setuid kill setgid dac_override };
++allow thin_t self:capability2 block_suspend;
 +
 +allow thin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow thin_t self:udp_socket create_socket_perms;
@@ -88905,10 +88938,10 @@ index 0000000..92b6843
 +/usr/lib/tumbler[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 diff --git a/thumb.if b/thumb.if
 new file mode 100644
-index 0000000..8b2dfff
+index 0000000..c1fd8b4
 --- /dev/null
 +++ b/thumb.if
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,133 @@
 +
 +## <summary>policy for thumb</summary>
 +
@@ -89015,7 +89048,7 @@ index 0000000..8b2dfff
 +
 +        allow $1 thumb_t:dbus send_msg;
 +        allow thumb_t $1:dbus send_msg;
-+		ps_process_pattern(thumb_t, $1)
++	ps_process_pattern(thumb_t, $1)
 +')
 +
 +########################################
@@ -89037,7 +89070,10 @@ index 0000000..8b2dfff
 +
 +	userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
 +	userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
-+	gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
++
++	optional_policy(`
++		gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
++	')
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
@@ -99337,10 +99373,10 @@ index 0000000..8c61505
 +/var/spool/zoneminder-upload(/.*)?	gen_context(system_u:object_r:zoneminder_spool_t,s0)
 diff --git a/zoneminder.if b/zoneminder.if
 new file mode 100644
-index 0000000..614a979
+index 0000000..d02a6f4
 --- /dev/null
 +++ b/zoneminder.if
-@@ -0,0 +1,354 @@
+@@ -0,0 +1,374 @@
 +## <summary>policy for zoneminder</summary>
 +
 +########################################
@@ -99362,6 +99398,26 @@ index 0000000..614a979
 +	domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
 +')
 +
++########################################
++## <summary>
++##	Allow the specified domain to execute zoneminder
++##	in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`zoneminder_exec',`
++	gen_require(`
++		type zoneminder_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, zoneminder_exec_t)
++')
++
 +
 +########################################
 +## <summary>
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7651965..cb66d04 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 91%{?dist}
+Release: 92%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -572,6 +572,20 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Oct 22 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-92
+- Allow sshd_t to read openshift content, needs backport to RHEL6.5
+- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
+- Make sur kdump lock is created with correct label if kdumpctl is executed
+- gnome interface calls should always be made within an optional_block
+- Allow syslogd_t to connect to the syslog_tls port
+- Add labeling for /var/run/charon.ctl socket
+- Add kdump_filetrans_named_content()
+- Allo setpgid for fenced_t
+- Allow setpgid and r/w cluster tmpfs for fenced_t
+- gnome calls should always be within optional blocks
+- wicd.pid should be labeled as networkmanager_var_run_t
+- Allow sys_resource for lldpad
+
 * Thu Oct 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-91
 - Add rtas policy