- Add decl for cockip port

- Allow sysadm_t to read all kernel proc - Allow logrotate to execute all executables - Allow lircd_t to use tty_device_t for use withmythtv - Make sure all zabbix files direcories in /var/log have the correct label - Allow bittlebee to create directories and files in /var/log with the correct label - Label /var/log/horizon as an apache log - Add squid directory in /var/run - Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label - Wronly labeled avahi_var_lib_t as a pid file - Fix labels on rabbitmq_var_run_t on file/dir creation - Allow neutron to create sock files - Allow postfix domains to getattr on all file systems - Label swift-proxy-server as swift_exec_t - Tighten SELinux capabilities to match docker capabilities - Add fixes for squid which is configured to run with more than one worker. - Allow cockpit to bind to its port
2014-05-27 10:30:27 +02:00 · 2014-05-27 10:30:27 +02:00 · 0ddb744a37
parent cccaf8f646
commit 0ddb744a37
3 changed files with 291 additions and 207 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3174,10 +3174,10 @@ index 1dc7a85..c6f4da0 100644
 +	corecmd_shell_domtrans($1_seunshare_t, $1_t)
 ')
 diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..b516b43 100644
+index 7590165..85186a9 100644
 --- a/policy/modules/apps/seunshare.te
 +++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
 # Declarations
 #
 
@ -3237,17 +3237,20 @@ index 7590165..b516b43 100644
 -	fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
 +	fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
 + 	fs_dontaudit_list_inotifyfs(seunshare_domain)
-+
-+	optional_policy(`
-+		gnome_dontaudit_rw_inherited_config(seunshare_domain)
-+	')
 
 	optional_policy(`
 -		mozilla_dontaudit_manage_user_home_files(seunshare_t)
+		gnome_dontaudit_rw_inherited_config(seunshare_domain)
+ 	')
+
+	optional_policy(`
 +		mozilla_dontaudit_manage_user_home_files(seunshare_domain)
 +		mozilla_plugin_dontaudit_leaks(seunshare_domain)
- 	')
- ')
+	')
+')
+optional_policy(`
+	rsync_exec(seunshare_domain)
+')
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_mounton_nfs(seunshare_domain)
@ -3259,7 +3262,7 @@ index 7590165..b516b43 100644
 +
 +tunable_policy(`use_fusefs_home_dirs',`
 +	fs_mounton_fusefs(seunshare_domain)
-+')
+ ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
 index 33e0f8d..d3434a9 100644
 --- a/policy/modules/kernel/corecommands.fc
@ -5448,7 +5451,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..1463ef3 100644
+index b191055..e19170b 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5522,7 +5525,7 @@ index b191055..1463ef3 100644
 # reserved_port_t is the type of INET port numbers below 1024.
 #
 type reserved_port_t, port_type, reserved_port_type;
-@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
 network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@ -5541,6 +5544,7 @@ index b191055..1463ef3 100644
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon
 network_port(certmaster, tcp,51235,s0)
+network_port(cockpit, udp,1001,s0)
 +network_port(collectd, udp,25826,s0)
 network_port(chronyd, udp,323,s0)
 network_port(clamd, tcp,3310,s0)
@ -5599,7 +5603,7 @@ index b191055..1463ef3 100644
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5666,7 +5670,7 @@ index b191055..1463ef3 100644
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
@ -5707,8 +5711,11 @@ index b191055..1463ef3 100644
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -215,66 +268,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -213,68 +267,77 @@ network_port(postgrey, tcp,60000,s0)
+ network_port(pptp, tcp,1723,s0, udp,1723,s0)
+ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
+network_port(preupgrade, tcp, 8099, s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 -network_port(pulseaudio, tcp,4713,s0)
@ -5793,7 +5800,7 @@ index b191055..1463ef3 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +349,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +351,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
@ -5820,7 +5827,7 @@ index b191055..1463ef3 100644
 
 ########################################
 #
-@@ -333,6 +398,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +400,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5829,7 +5836,7 @@ index b191055..1463ef3 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -345,9 +412,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +414,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -18984,10 +18991,10 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..5307091 100644
+index 2522ca6..0ad95e4 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,85 @@ policy_module(sysadm, 2.6.1)
+@@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1)
 # Declarations
 #
 
@ -19011,6 +19018,7 @@ index 2522ca6..5307091 100644
 # Local policy
 #
 +kernel_read_fs_sysctls(sysadm_t)
+kernel_read_all_proc(sysadm_t)
 
 corecmd_exec_shell(sysadm_t)
 
@ -19084,7 +19092,7 @@ index 2522ca6..5307091 100644
 
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +102,7 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(sysadm_t)
 ')
 
@ -19099,7 +19107,7 @@ index 2522ca6..5307091 100644
 	domain_ptrace_all_domains(sysadm_t)
 ')
 
-@@ -71,9 +111,9 @@ optional_policy(`
+@@ -71,9 +112,9 @@ optional_policy(`
 
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
@ -19110,7 +19118,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -87,6 +127,7 @@ optional_policy(`
+@@ -87,6 +128,7 @@ optional_policy(`
 
 optional_policy(`
 	asterisk_stream_connect(sysadm_t)
@ -19118,7 +19126,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -110,11 +151,17 @@ optional_policy(`
+@@ -110,11 +152,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19136,7 +19144,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -122,11 +169,19 @@ optional_policy(`
+@@ -122,11 +170,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19158,7 +19166,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -140,6 +195,10 @@ optional_policy(`
+@@ -140,6 +196,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19169,7 +19177,7 @@ index 2522ca6..5307091 100644
 	dmesg_exec(sysadm_t)
 ')
 
-@@ -156,6 +215,10 @@ optional_policy(`
+@@ -156,6 +216,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19180,7 +19188,7 @@ index 2522ca6..5307091 100644
 	fstools_run(sysadm_t, sysadm_r)
 ')
 
-@@ -175,6 +238,13 @@ optional_policy(`
+@@ -175,6 +239,13 @@ optional_policy(`
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
@ -19194,7 +19202,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -182,15 +252,20 @@ optional_policy(`
+@@ -182,15 +253,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19218,7 +19226,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -210,22 +285,20 @@ optional_policy(`
+@@ -210,22 +286,20 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -19247,7 +19255,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -237,14 +310,27 @@ optional_policy(`
+@@ -237,14 +311,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19275,7 +19283,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -252,10 +338,20 @@ optional_policy(`
+@@ -252,10 +339,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19296,7 +19304,7 @@ index 2522ca6..5307091 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +362,41 @@ optional_policy(`
+@@ -266,35 +363,41 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19345,7 +19353,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -308,6 +410,7 @@ optional_policy(`
+@@ -308,6 +411,7 @@ optional_policy(`
 
 optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
@ -19353,7 +19361,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -315,12 +418,20 @@ optional_policy(`
+@@ -315,12 +419,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19375,7 +19383,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -345,7 +456,18 @@ optional_policy(`
+@@ -345,7 +457,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19395,7 +19403,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -356,19 +478,11 @@ optional_policy(`
+@@ -356,19 +479,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19416,7 +19424,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -380,10 +494,6 @@ optional_policy(`
+@@ -380,10 +495,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19427,7 +19435,7 @@ index 2522ca6..5307091 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +501,9 @@ optional_policy(`
+@@ -391,6 +502,9 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -19437,7 +19445,7 @@ index 2522ca6..5307091 100644
 ')
 
 optional_policy(`
-@@ -398,31 +511,34 @@ optional_policy(`
+@@ -398,31 +512,34 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -19478,7 +19486,7 @@ index 2522ca6..5307091 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
 
-@@ -435,10 +551,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +552,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -19489,7 +19497,7 @@ index 2522ca6..5307091 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 
 		optional_policy(`
-@@ -459,15 +571,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +572,79 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -29796,7 +29804,7 @@ index 79a45f6..89b43aa 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..956662b 100644
+index 17eda24..fc94c2a 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -29966,7 +29974,7 @@ index 17eda24..956662b 100644
 
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +202,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +202,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -29976,6 +29984,10 @@ index 17eda24..956662b 100644
 corecmd_exec_bin(init_t)
 
 -dev_read_sysfs(init_t)
+corenet_all_recvfrom_netlabel(init_t)
+corenet_tcp_bind_all_ports(init_t)
+corenet_udp_bind_all_ports(init_t)
+
 +dev_rw_sysfs(init_t)
 +dev_read_urand(init_t)
 +dev_read_raw_memory(init_t)
@ -29986,7 +29998,7 @@ index 17eda24..956662b 100644
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,14 +221,22 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +225,22 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -30009,7 +30021,7 @@ index 17eda24..956662b 100644
 # file descriptors inherited from the rootfs:
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +246,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +250,53 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 
 mcs_process_set_categories(init_t)
@ -30053,11 +30065,11 @@ index 17eda24..956662b 100644
 
 seutil_read_config(init_t)
 +seutil_read_module_store(init_t)
- 
-miscfiles_read_localization(init_t)
+
 +miscfiles_manage_localization(init_t)
 +miscfiles_filetrans_named_content(init_t)
-+
+ 
+-miscfiles_read_localization(init_t)
 +userdom_use_user_ttys(init_t)
 +userdom_manage_tmp_dirs(init_t)
 +userdom_manage_tmp_sockets(init_t)
@ -30066,7 +30078,7 @@ index 17eda24..956662b 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +301,236 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +305,236 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -30098,15 +30110,14 @@ index 17eda24..956662b 100644
 +
 +optional_policy(`
 +	chronyd_read_keys(init_t)
- ')
- 
- optional_policy(`
-	auth_rw_login_records(init_t)
+')
+
+optional_policy(`
 +	kdump_read_crash(init_t)
 +	kdump_read_config(init_t)
- ')
- 
- optional_policy(`
+')
+
+optional_policy(`
 +	gnome_filetrans_home_content(init_t)
 +	gnome_manage_data(init_t)
 +')
@ -30276,13 +30287,14 @@ index 17eda24..956662b 100644
 +optional_policy(`
 +	lvm_rw_pipes(init_t)
 +	lvm_read_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	auth_rw_login_records(init_t)
 +	consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
 +	dbus_connect_system_bus(init_t)
 	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
@ -30298,21 +30310,21 @@ index 17eda24..956662b 100644
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
-+		networkmanager_stream_connect(init_t)
 ')
 
 optional_policy(`
 -	nscd_use(init_t)
+		networkmanager_stream_connect(init_t)
+')
+
+optional_policy(`
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
 +	plymouthd_filetrans_named_content(init_t)
 ')
 
 optional_policy(`
-@@ -216,7 +538,31 @@ optional_policy(`
+@@ -216,7 +542,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30344,7 +30356,7 @@ index 17eda24..956662b 100644
 ')
 
 ########################################
-@@ -225,9 +571,9 @@ optional_policy(`
+@@ -225,9 +575,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30356,7 +30368,7 @@ index 17eda24..956662b 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +604,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +608,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30373,7 +30385,7 @@ index 17eda24..956662b 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +629,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +633,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -30416,7 +30428,7 @@ index 17eda24..956662b 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +666,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +670,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -30428,7 +30440,7 @@ index 17eda24..956662b 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +678,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +682,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -30439,7 +30451,7 @@ index 17eda24..956662b 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +689,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +693,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -30449,7 +30461,7 @@ index 17eda24..956662b 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +698,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +702,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -30457,7 +30469,7 @@ index 17eda24..956662b 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +705,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +709,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -30465,7 +30477,7 @@ index 17eda24..956662b 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +713,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +717,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -30483,7 +30495,7 @@ index 17eda24..956662b 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +731,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +735,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -30497,7 +30509,7 @@ index 17eda24..956662b 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +746,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +750,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -30511,7 +30523,7 @@ index 17eda24..956662b 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +759,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +763,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -30522,7 +30534,7 @@ index 17eda24..956662b 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +772,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +776,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -30530,7 +30542,7 @@ index 17eda24..956662b 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +791,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +795,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -30554,7 +30566,7 @@ index 17eda24..956662b 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +824,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +828,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -30562,7 +30574,7 @@ index 17eda24..956662b 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +858,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +862,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -30573,7 +30585,7 @@ index 17eda24..956662b 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +882,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +886,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -30582,7 +30594,7 @@ index 17eda24..956662b 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +897,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +901,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -30590,7 +30602,7 @@ index 17eda24..956662b 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +918,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +922,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -30598,7 +30610,7 @@ index 17eda24..956662b 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +928,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +932,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -30643,7 +30655,7 @@ index 17eda24..956662b 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +973,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +977,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -30675,7 +30687,7 @@ index 17eda24..956662b 100644
 	')
 ')
 
-@@ -577,6 +1008,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1012,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -30715,7 +30727,7 @@ index 17eda24..956662b 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1053,8 @@ optional_policy(`
+@@ -589,6 +1057,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -30724,7 +30736,7 @@ index 17eda24..956662b 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1076,7 @@ optional_policy(`
+@@ -610,6 +1080,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -30732,7 +30744,7 @@ index 17eda24..956662b 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1093,17 @@ optional_policy(`
+@@ -626,6 +1097,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30750,7 +30762,7 @@ index 17eda24..956662b 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1120,13 @@ optional_policy(`
+@@ -642,9 +1124,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -30764,7 +30776,7 @@ index 17eda24..956662b 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1139,11 @@ optional_policy(`
+@@ -657,15 +1143,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30782,7 +30794,7 @@ index 17eda24..956662b 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1164,15 @@ optional_policy(`
+@@ -686,6 +1168,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30798,7 +30810,7 @@ index 17eda24..956662b 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1213,7 @@ optional_policy(`
+@@ -726,6 +1217,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -30806,7 +30818,7 @@ index 17eda24..956662b 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1231,13 @@ optional_policy(`
+@@ -743,7 +1235,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30821,7 +30833,7 @@ index 17eda24..956662b 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1260,10 @@ optional_policy(`
+@@ -766,6 +1264,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30832,7 +30844,7 @@ index 17eda24..956662b 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1273,20 @@ optional_policy(`
+@@ -775,10 +1277,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30853,7 +30865,7 @@ index 17eda24..956662b 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1295,10 @@ optional_policy(`
+@@ -787,6 +1299,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30864,7 +30876,7 @@ index 17eda24..956662b 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1320,6 @@ optional_policy(`
+@@ -808,8 +1324,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -30873,7 +30885,7 @@ index 17eda24..956662b 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1328,10 @@ optional_policy(`
+@@ -818,6 +1332,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30884,7 +30896,7 @@ index 17eda24..956662b 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1341,12 @@ optional_policy(`
+@@ -827,10 +1345,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -30897,7 +30909,7 @@ index 17eda24..956662b 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1373,60 @@ optional_policy(`
+@@ -857,21 +1377,60 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30959,7 +30971,7 @@ index 17eda24..956662b 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1442,10 @@ optional_policy(`
+@@ -887,6 +1446,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -30970,7 +30982,7 @@ index 17eda24..956662b 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1456,218 @@ optional_policy(`
+@@ -897,3 +1460,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3231,10 +3231,10 @@ index 0000000..83590aa
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..0d9db0a 100644
+index 7caefc3..7e70f67 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,202 @@
+@@ -1,162 +1,203 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -3482,6 +3482,7 @@ index 7caefc3..0d9db0a 100644
 +/var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
@ -5036,7 +5037,7 @@ index f6eb485..61f36b6 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..da729da 100644
+index 6649962..2a768b5 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@ -6438,7 +6439,7 @@ index 6649962..da729da 100644
 	udev_read_db(httpd_t)
 ')
 
-@@ -883,65 +1108,183 @@ optional_policy(`
+@@ -883,65 +1108,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
@ -6515,16 +6516,23 @@ index 6649962..da729da 100644
 +        anaconda_exec_preupgrade(httpd_t)
 +    ')
 +')
+
+optional_policy(`
+    tunable_policy(`httpd_run_preupgrade', `
+        corenet_tcp_bind_preupgrade_port(httpd_t)
+    ')
+') 
 +
 tunable_policy(`httpd_tty_comm',`
 -	userdom_use_user_terminals(httpd_helper_t)
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 +	userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+ 
+ ########################################
+ #
+-# Suexec local policy
 +# Apache PHP script local policy
 +#
 +
@ -6583,11 +6591,10 @@ index 6649962..da729da 100644
 +	tunable_policy(`httpd_can_network_connect_db',`
 +		postgresql_tcp_connect(httpd_php_t)
 +	')
- ')
- 
- ########################################
- #
-# Suexec local policy
+')
+
+########################################
+#
 +# Apache suexec local policy
 #
 
@ -6644,7 +6651,7 @@ index 6649962..da729da 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
-@@ -950,123 +1293,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1299,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
@ -6799,7 +6806,7 @@ index 6649962..da729da 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1377,106 @@ optional_policy(`
+@@ -1083,172 +1383,106 @@ optional_policy(`
 	')
 ')
 
@ -6971,7 +6978,8 @@ index 6649962..da729da 100644
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@ -6989,8 +6997,7 @@ index 6649962..da729da 100644
 -apache_domtrans_rotatelogs(httpd_sys_script_t)
 -
 -auth_use_nsswitch(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -tunable_policy(`httpd_can_sendmail',`
 -	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
 -	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@ -7036,7 +7043,7 @@ index 6649962..da729da 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1484,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1490,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -7133,7 +7140,7 @@ index 6649962..da729da 100644
 
 ########################################
 #
-@@ -1321,8 +1559,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1565,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -7150,7 +7157,7 @@ index 6649962..da729da 100644
 ')
 
 ########################################
-@@ -1330,49 +1575,38 @@ optional_policy(`
+@@ -1330,49 +1581,38 @@ optional_policy(`
 # User content local policy
 #
 
@ -7215,7 +7222,7 @@ index 6649962..da729da 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1616,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1622,101 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -8483,10 +8490,15 @@ index 9078c3d..bca0ac9 100644
 +	allow $1 avahi_unit_file_t:service all_service_perms;
 ')
 diff --git a/avahi.te b/avahi.te
-index b8355b3..844e45b 100644
+index b8355b3..ad2aa45 100644
 --- a/avahi.te
 +++ b/avahi.te
-@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
+@@ -13,10 +13,14 @@ type avahi_initrc_exec_t;
+ init_script_file(avahi_initrc_exec_t)
+ 
+ type avahi_var_lib_t;
+-files_pid_file(avahi_var_lib_t)
+files_type(avahi_var_lib_t)
 
 type avahi_var_run_t;
 files_pid_file(avahi_var_run_t)
@ -9186,6 +9198,19 @@ index 1d60c27..f8bb700 100644
 
 logging_send_syslog_msg(bird_t)
 
+diff --git a/bitlbee.fc b/bitlbee.fc
+index e9708d6..61362d0 100644
+--- a/bitlbee.fc
+++ b/bitlbee.fc
+@@ -7,7 +7,7 @@
+ 
+ /var/lib/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_var_t,s0)
+ 
+-/var/log/bip(/.*)?	gen_context(system_u:object_r:bitlbee_log_t,s0)
+/var/log/bip.*	gen_context(system_u:object_r:bitlbee_log_t,s0)
+ 
+ /var/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+ /var/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
 diff --git a/bitlbee.if b/bitlbee.if
 index e73fb79..2badfc0 100644
 --- a/bitlbee.if
@ -9206,7 +9231,7 @@ index e73fb79..2badfc0 100644
 	domain_system_change_exemption($1)
 	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48..49eff68 100644
+index f5c1a48..7d8669f 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@ -9224,15 +9249,17 @@ index f5c1a48..49eff68 100644
 
 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
 allow bitlbee_t bitlbee_conf_t:file read_file_perms;
-@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
+@@ -45,7 +48,9 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
 manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 +read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
 
 manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
-@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+ manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+@@ -59,8 +64,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
 
@ -9242,7 +9269,7 @@ index f5c1a48..49eff68 100644
 
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -109,16 +114,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
 
@ -13430,10 +13457,10 @@ index 0000000..25e3237
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..ede96a7
+index 0000000..589262d
 --- /dev/null
 +++ b/cockpit.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,95 @@
 +policy_module(cockpit, 1.0.0)
 +
 +########################################
@ -13472,6 +13499,8 @@ index 0000000..ede96a7
 +corecmd_exec_bin(cockpit_t)
 +corecmd_exec_shell(cockpit_t)
 +
+corenet_tcp_bind_cockpit_port(cockpit_t)
+
 +dev_read_sysfs(cockpit_t)
 +
 +domain_use_interactive_fds(cockpit_t)
@ -39938,7 +39967,7 @@ index dff21a7..b6981c8 100644
 	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 483c87b..af0698b 100644
+index 483c87b..62ca3e4 100644
 --- a/lircd.te
 +++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@ -39958,11 +39987,12 @@ index 483c87b..af0698b 100644
 
 read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
 
-@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
+@@ -64,9 +65,9 @@ files_manage_generic_locks(lircd_t)
 files_read_all_locks(lircd_t)
 
 term_use_ptmx(lircd_t)
 +term_use_usb_ttys(lircd_t)
+term_use_unallocated_ttys(lircd_t)
 
 logging_send_syslog_msg(lircd_t)
 
@ -40261,7 +40291,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..9321951 100644
+index be0ab84..f4550f1 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -40383,7 +40413,16 @@ index be0ab84..9321951 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -103,24 +131,39 @@ init_all_labeled_script_domtrans(logrotate_t)
+@@ -95,6 +123,8 @@ mls_process_write_to_clearance(logrotate_t)
+ selinux_get_fs_mount(logrotate_t)
+ selinux_get_enforce_mode(logrotate_t)
+ 
+application_exec_all(logrotate_t)
+
+ auth_manage_login_records(logrotate_t)
+ auth_use_nsswitch(logrotate_t)
+ 
+@@ -103,24 +133,39 @@ init_all_labeled_script_domtrans(logrotate_t)
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
@ -40429,7 +40468,7 @@ index be0ab84..9321951 100644
 ')
 
 optional_policy(`
-@@ -135,16 +178,17 @@ optional_policy(`
+@@ -135,16 +180,17 @@ optional_policy(`
 
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -40449,7 +40488,7 @@ index be0ab84..9321951 100644
 ')
 
 optional_policy(`
-@@ -170,6 +214,10 @@ optional_policy(`
+@@ -170,6 +216,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -40460,7 +40499,7 @@ index be0ab84..9321951 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
 
-@@ -178,7 +226,7 @@ optional_policy(`
+@@ -178,7 +228,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -40469,7 +40508,7 @@ index be0ab84..9321951 100644
 ')
 
 optional_policy(`
-@@ -198,21 +246,26 @@ optional_policy(`
+@@ -198,21 +248,26 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -40483,24 +40522,24 @@ index be0ab84..9321951 100644
 -	openvswitch_read_pid_files(logrotate_t)
 -	openvswitch_domtrans(logrotate_t)
 +	polipo_named_filetrans_log_files(logrotate_t)
-+')
-+
-+optional_policy(`
-+	psad_domtrans(logrotate_t)
 ')
 
 optional_policy(`
 -	polipo_log_filetrans_log(logrotate_t, file, "polipo")
-+    rabbitmq_domtrans_beam(logrotate_t)
+	psad_domtrans(logrotate_t)
 ')
 
 optional_policy(`
 -	psad_domtrans(logrotate_t)
+    rabbitmq_domtrans_beam(logrotate_t)
+')
+
+optional_policy(`
 +	raid_domtrans_mdadm(logrotate_t)
 ')
 
 optional_policy(`
-@@ -228,10 +281,21 @@ optional_policy(`
+@@ -228,10 +283,21 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -40522,7 +40561,7 @@ index be0ab84..9321951 100644
 	su_exec(logrotate_t)
 ')
 
-@@ -241,13 +305,11 @@ optional_policy(`
+@@ -241,13 +307,11 @@ optional_policy(`
 
 #######################################
 #
@ -65920,7 +65959,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..7a242df 100644
+index 5cfb83e..b028333 100644
 --- a/postfix.te
 +++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@ -66016,9 +66055,8 @@ index 5cfb83e..7a242df 100644
 ########################################
 #
 -# Common postfix domain local policy
-+# Postfix master process local policy
- #
- 
+-#
+-
 -allow postfix_domain self:capability { sys_nice sys_chroot };
 -dontaudit postfix_domain self:capability sys_tty_config;
 -allow postfix_domain self:process { signal_perms setpgid setsched };
@ -66106,8 +66144,9 @@ index 5cfb83e..7a242df 100644
 -########################################
 -#
 -# Master local policy
-#
-
+# Postfix master process local policy
+ #
+ 
 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
 +# chown is to set the correct ownership of queue dirs
 +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@ -66712,7 +66751,7 @@ index 5cfb83e..7a242df 100644
 ')
 
 optional_policy(`
-@@ -730,29 +669,30 @@ optional_policy(`
+@@ -730,28 +669,28 @@ optional_policy(`
 
 ########################################
 #
@ -66740,18 +66779,17 @@ index 5cfb83e..7a242df 100644
 -
 corecmd_exec_bin(postfix_smtpd_t)
 
+-fs_getattr_all_dirs(postfix_smtpd_t)
+-fs_getattr_all_fs(postfix_smtpd_t)
 +# for OpenSSL certificates
-+
-+# postfix checks the size of all mounted file systems
- fs_getattr_all_dirs(postfix_smtpd_t)
- fs_getattr_all_fs(postfix_smtpd_t)
 
 -mta_read_aliases(postfix_smtpd_t)
-
+# postfix checks the size of all mounted file systems
+fs_getattr_all_dirs(postfix_smtpd_t)
+ 
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
- 	dovecot_stream_connect(postfix_smtpd_t)
-@@ -764,6 +704,7 @@ optional_policy(`
+@@ -764,6 +703,7 @@ optional_policy(`
 
 optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
@ -66759,7 +66797,7 @@ index 5cfb83e..7a242df 100644
 ')
 
 optional_policy(`
-@@ -774,31 +715,100 @@ optional_policy(`
+@@ -774,31 +714,100 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
 
@ -66836,7 +66874,7 @@ index 5cfb83e..7a242df 100644
 +dev_read_urand(postfix_domain)
 +
 +fs_search_auto_mountpoints(postfix_domain)
-+fs_getattr_xattr_fs(postfix_domain)
+fs_getattr_all_fs(postfix_domain)
 +fs_rw_anon_inodefs_files(postfix_domain)
 +
 +term_dontaudit_use_console(postfix_domain)
@ -73689,10 +73727,10 @@ index afc0068..3105104 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..4398f8e 100644
+index 8644d8b..f7958c0 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -5,92 +5,137 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,138 @@ policy_module(quantum, 1.1.0)
 # Declarations
 #
 
@ -73766,6 +73804,7 @@ index 8644d8b..4398f8e 100644
 -logging_log_filetrans(quantum_t, quantum_log_t, dir)
 +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
 
 -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
@ -74329,7 +74368,7 @@ index 2c3d338..cf3e5ad 100644
 
 ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..1bd0827 100644
+index dc3b0ed..20f9ced 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@ -74342,7 +74381,7 @@ index dc3b0ed..1bd0827 100644
 type rabbitmq_var_log_t;
 logging_log_file(rabbitmq_var_log_t)
 
-@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -30,20 +33,29 @@ files_pid_file(rabbitmq_var_run_t)
 # Beam local policy
 #
 
@ -74351,14 +74390,17 @@ index dc3b0ed..1bd0827 100644
 allow rabbitmq_beam_t self:process { setsched signal signull };
 allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
 allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+ 
+ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
 manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_beam_t, rabbitmq_var_lib_t, { dir file })
 
 manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
 -append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
 -create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
 -setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
 +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_beam_t, rabbitmq_var_log_t, { dir file })
 +
 +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
 +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
@ -74366,13 +74408,13 @@ index dc3b0ed..1bd0827 100644
 
 manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
 manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
- 
-+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
+files_pid_filetrans(rabbitmq_beam_t, rabbitmq_var_run_t, { dir file })
 +
+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
+ 
 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
 
- domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -55,57 +64,73 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
+@@ -55,57 +67,73 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
 corecmd_exec_bin(rabbitmq_beam_t)
 corecmd_exec_shell(rabbitmq_beam_t)
 
@ -74463,7 +74505,7 @@ index dc3b0ed..1bd0827 100644
 
 corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
 corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -117,8 +145,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
 corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
 corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
 
@ -92907,10 +92949,10 @@ index b38b8b1..eb36653 100644
 userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
 
 diff --git a/squid.fc b/squid.fc
-index 0a8b0f7..5b066d3 100644
+index 0a8b0f7..20a2ecc 100644
 --- a/squid.fc
 +++ b/squid.fc
-@@ -1,12 +1,15 @@
+@@ -1,20 +1,24 @@
 -/etc/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
 +/etc/rc\.d/init\.d/squid --	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
 +/etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
@ -92929,9 +92971,11 @@ index 0a8b0f7..5b066d3 100644
 
 /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
 
-@@ -15,6 +18,7 @@
+ /var/log/squid(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
+ /var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
 
- /var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+-/var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/run/squid.*	gen_context(system_u:object_r:squid_var_run_t,s0)
 
 -/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
 +/var/spool/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
@ -92976,7 +93020,7 @@ index 5e1f053..e7820bc 100644
 	domain_system_change_exemption($1)
 	role_transition $2 squid_initrc_exec_t system_r;
 diff --git a/squid.te b/squid.te
-index 03472ed..4ade5f1 100644
+index 03472ed..48b5633 100644
 --- a/squid.te
 +++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@ -92988,19 +93032,19 @@ index 03472ed..4ade5f1 100644
 
 type squid_initrc_exec_t;
 init_script_file(squid_initrc_exec_t)
-@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t)
+@@ -37,15 +37,22 @@ init_script_file(squid_initrc_exec_t)
 type squid_log_t;
 logging_log_file(squid_log_t)
 
-type squid_tmp_t;
-files_tmp_file(squid_tmp_t)
-
- type squid_tmpfs_t;
- files_tmpfs_file(squid_tmpfs_t)
- 
-+type squid_tmp_t;
-+files_tmp_file(squid_tmp_t)
+type squid_tmpfs_t;
+files_tmpfs_file(squid_tmpfs_t)
 +
+ type squid_tmp_t;
+ files_tmp_file(squid_tmp_t)
+ 
+-type squid_tmpfs_t;
+-files_tmpfs_file(squid_tmpfs_t)
+ 
 type squid_var_run_t;
 files_pid_file(squid_var_run_t)
 
@ -93013,12 +93057,13 @@ index 03472ed..4ade5f1 100644
 ########################################
 #
 # Local policy
-@@ -78,13 +84,13 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -78,15 +85,18 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
 manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
 logging_log_filetrans(squid_t, squid_log_t, { file dir })
 
 +manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
-+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+manage_dirs_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, { dir file })
 +
 manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
 manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
@ -93027,10 +93072,15 @@ index 03472ed..4ade5f1 100644
 -manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
 -fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
 -
+manage_dirs_pattern(squid_t, squid_var_run_t, squid_var_run_t)
 manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
- files_pid_filetrans(squid_t, squid_var_run_t, file)
+-files_pid_filetrans(squid_t, squid_var_run_t, file)
+manage_sock_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+files_pid_filetrans(squid_t, squid_var_run_t, { dir file sock_file })
 
-@@ -94,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t)
+ can_exec(squid_t, squid_exec_t)
+ 
+@@ -94,7 +104,6 @@ kernel_read_kernel_sysctls(squid_t)
 kernel_read_system_state(squid_t)
 kernel_read_network_state(squid_t)
 
@ -93038,7 +93088,7 @@ index 03472ed..4ade5f1 100644
 corenet_all_recvfrom_netlabel(squid_t)
 corenet_tcp_sendrecv_generic_if(squid_t)
 corenet_udp_sendrecv_generic_if(squid_t)
-@@ -132,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+@@ -132,6 +141,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
 corenet_udp_sendrecv_gopher_port(squid_t)
 
 corenet_sendrecv_squid_server_packets(squid_t)
@ -93046,7 +93096,7 @@ index 03472ed..4ade5f1 100644
 corenet_tcp_bind_squid_port(squid_t)
 corenet_udp_bind_squid_port(squid_t)
 corenet_tcp_sendrecv_squid_port(squid_t)
-@@ -154,7 +160,6 @@ dev_read_urand(squid_t)
+@@ -154,7 +164,6 @@ dev_read_urand(squid_t)
 domain_use_interactive_fds(squid_t)
 
 files_read_etc_runtime_files(squid_t)
@ -93054,7 +93104,7 @@ index 03472ed..4ade5f1 100644
 files_search_spool(squid_t)
 files_dontaudit_getattr_tmp_dirs(squid_t)
 files_getattr_home_dir(squid_t)
-@@ -176,7 +181,6 @@ libs_exec_lib_files(squid_t)
+@@ -176,7 +185,6 @@ libs_exec_lib_files(squid_t)
 logging_send_syslog_msg(squid_t)
 
 miscfiles_read_generic_certs(squid_t)
@ -93062,7 +93112,7 @@ index 03472ed..4ade5f1 100644
 
 userdom_use_unpriv_users_fds(squid_t)
 userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -197,28 +201,31 @@ tunable_policy(`squid_use_tproxy',`
+@@ -197,28 +205,31 @@ tunable_policy(`squid_use_tproxy',`
 
 optional_policy(`
 	apache_content_template(squid)
@ -93108,7 +93158,7 @@ index 03472ed..4ade5f1 100644
 ')
 
 optional_policy(`
-@@ -236,3 +243,24 @@ optional_policy(`
+@@ -236,3 +247,24 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(squid_t)
 ')
@ -94199,10 +94249,10 @@ index 49d688d..f07cc80 100644
 sysnet_dns_name_resolve(svnserve_t)
 diff --git a/swift.fc b/swift.fc
 new file mode 100644
-index 0000000..a4ec18a
+index 0000000..b07d112
 --- /dev/null
 +++ b/swift.fc
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,32 @@
 +/usr/bin/swift-account-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-reaper		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
@ -94220,6 +94270,8 @@ index 0000000..a4ec18a
 +/usr/bin/swift-object-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-object-updater		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +
+/usr/bin/swift-proxy-server         --  gen_context(system_u:object_r:swift_exec_t,s0)
+
 +/usr/lib/systemd/system/openstack-swift.*      --  gen_context(system_u:object_r:swift_unit_file_t,s0)
 +
 +/var/lock/swift.*                   gen_context(system_u:object_r:swift_lock_t,s0)
@ -101544,7 +101596,7 @@ index facdee8..88dcafb 100644
 +	virt_stream_connect($1)
 ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..0b4a6fa 100644
+index f03dcf5..f74be5f 100644
 --- a/virt.te
 +++ b/virt.te
@@ -1,150 +1,212 @@
@ -103285,7 +103337,7 @@ index f03dcf5..0b4a6fa 100644
 +typeattribute svirt_lxc_net_t sandbox_net_domain;
 
 -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid setfcap sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { kill setuid setgid ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace };
 dontaudit svirt_lxc_net_t self:capability2 block_suspend;
 -allow svirt_lxc_net_t self:process setrlimit;
 -allow svirt_lxc_net_t self:tcp_socket { accept listen };
@ -106792,7 +106844,7 @@ index 2695db2..123c042 100644
 userdom_search_user_home_dirs(yam_t)
 
 diff --git a/zabbix.fc b/zabbix.fc
-index c3b5a81..52c1586 100644
+index c3b5a81..6ebb8d6 100644
 --- a/zabbix.fc
 +++ b/zabbix.fc
@@ -4,12 +4,17 @@
@ -106810,8 +106862,9 @@ index c3b5a81..52c1586 100644
 +/usr/sbin/zabbix_proxy_pgsql   --  gen_context(system_u:object_r:zabbix_exec_t,s0)
 +/usr/sbin/zabbix_proxy_sqlite3 --  gen_context(system_u:object_r:zabbix_exec_t,s0)
 
+-/var/log/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_log_t,s0)
 +/var/lib/zabbixsrv(/.*)?	gen_context(system_u:object_r:zabbix_var_lib_t,s0)
- /var/log/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_log_t,s0)
+/var/log/zabbix.*	gen_context(system_u:object_r:zabbix_log_t,s0)
 
 /var/run/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_var_run_t,s0)
 diff --git a/zabbix.if b/zabbix.if
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 54%{?dist}
+Release: 55%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,25 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue May 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-55
+- Add decl for cockip port
+- Allow sysadm_t to read all kernel proc
+- Allow logrotate to execute all executables
+- Allow lircd_t to use tty_device_t for use withmythtv
+- Make sure all zabbix files direcories in /var/log have the correct label
+- Allow bittlebee to create directories and files in /var/log with the correct label
+- Label /var/log/horizon as an apache log
+- Add squid directory in /var/run
+- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label
+- Wronly labeled avahi_var_lib_t as a pid file
+- Fix labels on rabbitmq_var_run_t on file/dir creation
+- Allow neutron to create sock files
+- Allow postfix domains to getattr on all file systems
+- Label swift-proxy-server as swift_exec_t
+- Tighten SELinux capabilities to match docker capabilities
+- Add fixes for squid which is configured to run with more than one worker.
+- Allow cockpit to bind to its port
+
 * Tue May 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-54
 - geard seems to do a lot of relabeling
 - Allow system_mail_t to append to munin_var_lib_t