- Allow xdm_t to act as a dbus client to itsel

- Allow fetchmail to resolve host names
- Allow gnupg apps to write to pcscd socket
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/user
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passeng
-httpd_t does access_check on certs

policy-rawhide-base.patch

@@ -22530,7 +22530,7 @@ index 6bf0ecc..d740738 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..31450f4 100644
+index 2696452..63fd06a 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -22876,7 +22876,7 @@ index 2696452..31450f4 100644
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +408,107 @@ optional_policy(`
+@@ -299,64 +408,108 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -22899,6 +22899,7 @@ index 2696452..31450f4 100644
  allow xdm_t self:tcp_socket create_stream_socket_perms;
  allow xdm_t self:udp_socket create_socket_perms;
 +allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow xdm_t self:netlink_selinux_socket create_socket_perms;
  allow xdm_t self:socket create_socket_perms;
  allow xdm_t self:appletalk_socket create_socket_perms;
  allow xdm_t self:key { search link write };
@@ -22994,7 +22995,7 @@ index 2696452..31450f4 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +518,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -23024,7 +23025,7 @@ index 2696452..31450f4 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +548,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -23077,7 +23078,7 @@ index 2696452..31450f4 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +599,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +600,28 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -23106,7 +23107,7 @@ index 2696452..31450f4 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +629,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +630,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23155,7 +23156,7 @@ index 2696452..31450f4 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +676,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +677,144 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -23306,7 +23307,7 @@ index 2696452..31450f4 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +827,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +828,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -23333,11 +23334,12 @@ index 2696452..31450f4 100644
  ')
  
  optional_policy(`
-@@ -514,12 +854,55 @@ optional_policy(`
+@@ -514,12 +855,56 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	dbus_system_bus_client(xdm_t)
++	dbus_connect_system_bus(xdm_t)
 +
 +	optional_policy(`
 +		bluetooth_dbus_chat(xdm_t)
@@ -23389,7 +23391,7 @@ index 2696452..31450f4 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +920,78 @@ optional_policy(`
+@@ -537,28 +922,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23477,7 +23479,7 @@ index 2696452..31450f4 100644
  ')
  
  optional_policy(`
-@@ -570,6 +1003,14 @@ optional_policy(`
+@@ -570,6 +1005,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23492,7 +23494,7 @@ index 2696452..31450f4 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,8 +1035,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1037,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -23505,7 +23507,7 @@ index 2696452..31450f4 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1052,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1054,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -23521,7 +23523,7 @@ index 2696452..31450f4 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1068,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1070,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -23532,7 +23534,7 @@ index 2696452..31450f4 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1083,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1085,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -23554,7 +23556,7 @@ index 2696452..31450f4 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1103,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1105,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -23568,7 +23570,7 @@ index 2696452..31450f4 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1129,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1131,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -23600,7 +23602,7 @@ index 2696452..31450f4 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,7 +1161,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1163,16 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -23618,7 +23620,7 @@ index 2696452..31450f4 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -708,20 +1184,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1186,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -23642,7 +23644,7 @@ index 2696452..31450f4 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1203,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1205,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -23651,7 +23653,7 @@ index 2696452..31450f4 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1247,44 @@ optional_policy(`
+@@ -775,16 +1249,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23697,7 +23699,7 @@ index 2696452..31450f4 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1293,10 @@ optional_policy(`
+@@ -793,6 +1295,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23708,7 +23710,7 @@ index 2696452..31450f4 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1312,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1314,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -23722,7 +23724,7 @@ index 2696452..31450f4 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1323,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1325,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -23731,7 +23733,7 @@ index 2696452..31450f4 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1336,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1338,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -23766,7 +23768,7 @@ index 2696452..31450f4 100644
  ')
  
  optional_policy(`
-@@ -902,7 +1401,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1403,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23775,7 +23777,7 @@ index 2696452..31450f4 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1455,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1457,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -23807,7 +23809,7 @@ index 2696452..31450f4 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1501,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1503,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -31566,7 +31568,7 @@ index 9fe8e01..83acb32 100644
  /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
  ')
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..18451e8 100644
+index fc28bc3..416ac0f 100644
 --- a/policy/modules/system/miscfiles.if
 +++ b/policy/modules/system/miscfiles.if
 @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -31606,7 +31608,7 @@ index fc28bc3..18451e8 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`corecmd_dontaudit_access_check_cert',`
++interface(`miscfiles_dontaudit_access_check_cert',`
 +	gen_require(`
 +		type cert_t;
 +	')

policy-rawhide-contrib.patch

@@ -4534,7 +4534,7 @@ index 83e899c..c5be77c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..a68bd53 100644
+index 1a82e29..2becd8b 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,367 @@
@@ -5222,7 +5222,7 @@ index 1a82e29..a68bd53 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5339,9 +5339,10 @@ index 1a82e29..a68bd53 100644
  miscfiles_read_public_files(httpd_t)
  miscfiles_read_generic_certs(httpd_t)
  miscfiles_read_tetex_data(httpd_t)
- 
--seutil_dontaudit_search_config(httpd_t)
 -
+-seutil_dontaudit_search_config(httpd_t)
++miscfiles_dontaudit_access_check_cert(httpd_t)
+ 
  userdom_use_unpriv_users_fds(httpd_t)
  
 -ifdef(`TODO',`
@@ -5452,7 +5453,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5512,7 +5513,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -5597,7 +5598,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +813,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5678,7 +5679,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  optional_policy(`
-@@ -743,14 +864,6 @@ optional_policy(`
+@@ -743,14 +865,6 @@ optional_policy(`
  	ccs_read_config(httpd_t)
  ')
  
@@ -5693,7 +5694,7 @@ index 1a82e29..a68bd53 100644
  
  optional_policy(`
  	cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +878,23 @@ optional_policy(`
+@@ -765,6 +879,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5717,7 +5718,7 @@ index 1a82e29..a68bd53 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +911,42 @@ optional_policy(`
+@@ -781,34 +912,42 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5771,7 +5772,7 @@ index 1a82e29..a68bd53 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +954,18 @@ optional_policy(`
+@@ -816,8 +955,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5790,7 +5791,7 @@ index 1a82e29..a68bd53 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +974,7 @@ optional_policy(`
+@@ -826,6 +975,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -5798,7 +5799,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  optional_policy(`
-@@ -836,20 +985,39 @@ optional_policy(`
+@@ -836,20 +986,39 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5844,7 +5845,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1025,35 @@ optional_policy(`
+@@ -857,19 +1026,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5880,7 +5881,7 @@ index 1a82e29..a68bd53 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1061,170 @@ optional_policy(`
+@@ -877,65 +1062,170 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6073,7 +6074,7 @@ index 1a82e29..a68bd53 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1234,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6228,7 +6229,7 @@ index 1a82e29..a68bd53 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1317,104 @@ optional_policy(`
+@@ -1077,172 +1318,104 @@ optional_policy(`
  	')
  ')
  
@@ -6464,7 +6465,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1423,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -6561,7 +6562,7 @@ index 1a82e29..a68bd53 100644
  
  ########################################
  #
-@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1498,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -6578,7 +6579,7 @@ index 1a82e29..a68bd53 100644
  ')
  
  ########################################
-@@ -1324,49 +1513,36 @@ optional_policy(`
+@@ -1324,49 +1514,36 @@ optional_policy(`
  # User content local policy
  #
  
@@ -6642,7 +6643,7 @@ index 1a82e29..a68bd53 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1553,99 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -8267,7 +8268,7 @@ index 866a1e2..6c2dbe4 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..e3dbd11 100644
+index 076ffee..9977c4d 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8308,7 +8309,15 @@ index 076ffee..e3dbd11 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -170,6 +173,11 @@ tunable_policy(`named_write_master_zones',`
+@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+ dev_read_urand(named_t)
++dev_dontaudit_write_urand(named_t)
+ 
+ domain_use_interactive_fds(named_t)
+ 
+@@ -170,6 +174,11 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
@@ -8320,7 +8329,7 @@ index 076ffee..e3dbd11 100644
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -183,6 +191,7 @@ optional_policy(`
+@@ -183,6 +192,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(named, named_t)
@@ -8328,7 +8337,7 @@ index 076ffee..e3dbd11 100644
  ')
  
  optional_policy(`
-@@ -209,7 +218,8 @@ optional_policy(`
+@@ -209,7 +219,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -8338,7 +8347,7 @@ index 076ffee..e3dbd11 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -223,10 +233,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +234,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -8350,7 +8359,7 @@ index 076ffee..e3dbd11 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +260,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -23353,7 +23362,7 @@ index c3f7916..cab3954 100644
  	admin_pattern($1, fetchmail_etc_t)
  
 diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..fd440f8 100644
+index f0388cb..7d63acb 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
 @@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
@@ -23385,7 +23394,7 @@ index f0388cb..fd440f8 100644
  corenet_all_recvfrom_netlabel(fetchmail_t)
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
  corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +86,17 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +86,19 @@ fs_search_auto_mountpoints(fetchmail_t)
  
  domain_use_interactive_fds(fetchmail_t)
  
@@ -23397,6 +23406,8 @@ index f0388cb..fd440f8 100644
 -miscfiles_read_localization(fetchmail_t)
  miscfiles_read_generic_certs(fetchmail_t)
  
++sysnet_dns_name_resolve(fetchmail_t)
++
  userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
 -userdom_search_user_home_dirs(fetchmail_t)
 +
@@ -25028,10 +25039,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..cbe51a9
+index 0000000..3156ad4
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,166 @@
 +policy_module(glusterfs, 1.0.1)
 +
 +## <desc>
@@ -25089,7 +25100,7 @@ index 0000000..cbe51a9
 +# Local policy
 +#
 +
-+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid };
++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid net_admin };
 +allow glusterd_t self:capability2 block_suspend;
 +allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
 +allow glusterd_t self:fifo_file rw_fifo_file_perms;
@@ -25164,6 +25175,8 @@ index 0000000..cbe51a9
 +
 +fs_getattr_all_fs(glusterd_t)
 +
++files_mounton_mnt(glusterd_t)
++
 +storage_rw_fuse(glusterd_t)
 +
 +auth_use_nsswitch(glusterd_t)
@@ -25476,7 +25489,7 @@ index e39de43..5818f74 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..567f963 100644
+index d03fd43..e334392 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,155 @@
@@ -26558,15 +26571,13 @@ index d03fd43..567f963 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -704,12 +795,811 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_stream_connect_all_gkeyringd',`
 +interface(`gnome_exec_gconf',`
- 	gen_require(`
++	gen_require(`
--		attribute gkeyringd_domain;
--		type gnome_keyring_tmp_t;
 +		type gconfd_exec_t;
 +	')
 +
@@ -26649,10 +26660,9 @@ index d03fd43..567f963 100644
 +interface(`gnome_list_gkeyringd_tmp_dirs',`
 +	gen_require(`
 +		type gkeyringd_tmp_t;
- 	')
++	')
- 
++
- 	files_search_tmp($1)
++	files_search_tmp($1)
--	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 +	allow $1 gkeyringd_tmp_t:dir list_dir_perms;
 +')
 +
@@ -27118,11 +27128,14 @@ index d03fd43..567f963 100644
 +## </param>
 +#
 +interface(`gnome_dbus_chat_gkeyringd',`
-+	gen_require(`
+ 	gen_require(`
-+		attribute gkeyringd_domain;
+ 		attribute gkeyringd_domain;
+-		type gnome_keyring_tmp_t;
 +		class dbus send_msg;
-+	')
+ 	')
-+
+ 
+-	files_search_tmp($1)
+-	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 +	allow $1 gkeyringd_domain:dbus send_msg;
 +	allow gkeyringd_domain $1:dbus send_msg;
 +')
@@ -27295,6 +27308,25 @@ index d03fd43..567f963 100644
 +
 +########################################
 +## <summary>
++##	Create gnome dconf dir in the user home directory
++##	with an correct label.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_filetrans_config_home_content',`
++    gen_require(`
++        type config_home_t;
++    ')
++
++    gnome_cache_filetrans($1, config_home_t, dir, "dconf")
++')
++
++########################################
++## <summary>
 +##	Create gnome directory in the /root directory
 +##	with an correct label.
 +## </summary>
@@ -28216,7 +28248,7 @@ index 180f1b7..951b790 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 44cf341..b04d02c 100644
+index 44cf341..8aa9dd9 100644
 --- a/gpg.te
 +++ b/gpg.te
 @@ -1,47 +1,47 @@
@@ -28559,7 +28591,7 @@ index 44cf341..b04d02c 100644
  corecmd_exec_shell(gpg_agent_t)
  
  dev_read_rand(gpg_agent_t)
-@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t)
  
  fs_dontaudit_list_inotifyfs(gpg_agent_t)
  
@@ -28602,7 +28634,17 @@ index 44cf341..b04d02c 100644
  ')
  
  optional_policy(`
-@@ -277,8 +300,17 @@ optional_policy(`
+ 	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+ ')
+ 
++optional_policy(`
++	pcscd_stream_connect(gpg_agent_t)
++')
++
+ ##############################
+ #
+ # Pinentry local policy
+@@ -277,8 +304,17 @@ optional_policy(`
  
  allow gpg_pinentry_t self:process { getcap getsched setsched signal };
  allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -28621,7 +28663,7 @@ index 44cf341..b04d02c 100644
  
  manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
  userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
  
@@ -36793,9 +36835,18 @@ index 1d4eb19..650014e 100644
  	admin_pattern($1, memcached_var_run_t)
  ')
 diff --git a/memcached.te b/memcached.te
-index 4926208..293e577 100644
+index 4926208..018a640 100644
 --- a/memcached.te
 +++ b/memcached.te
+@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
+ # Local policy
+ #
+ 
+-allow memcached_t self:capability { setuid setgid };
++allow memcached_t self:capability { setuid setgid sys_resource };
+ dontaudit memcached_t self:capability sys_tty_config;
+ allow memcached_t self:process { setrlimit signal_perms };
+ allow memcached_t self:tcp_socket { accept listen };
 @@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t)
  
  auth_use_nsswitch(memcached_t)
@@ -45993,10 +46044,10 @@ index 0000000..cf8f660
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..061a689
+index 0000000..fc9f771
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,329 @@
+@@ -0,0 +1,328 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -46058,6 +46109,7 @@ index 0000000..061a689
 +corecmd_exec_shell(nova_domain)
 +corenet_tcp_connect_mysqld_port(nova_domain)
 +
++dev_read_sysfs(nova_domain)
 +dev_read_urand(nova_domain)
 +
 +fs_getattr_xattr_fs(nova_domain)
@@ -46159,8 +46211,6 @@ index 0000000..061a689
 +
 +dev_read_rand(nova_compute_t)
 +
-+dev_read_sysfs(nova_compute_t)
-+
 +optional_policy(`
 +	virt_getattr_exec(nova_compute_t)
 +	virt_stream_connect(nova_compute_t)
@@ -52551,10 +52601,10 @@ index 96db654..ff3aadd 100644
 +	virt_rw_svirt_dev(pcscd_t)
 +')
 diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..6667b8a 100644
+index dfd46e4..0aead56 100644
 --- a/pegasus.fc
 +++ b/pegasus.fc
-@@ -1,15 +1,20 @@
+@@ -1,15 +1,21 @@
 -/etc/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_conf_t,s0)
 +
 +/etc/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -52577,6 +52627,7 @@ index dfd46e4..6667b8a 100644
 -/var/run/tog-pegasus(/.*)?	gen_context(system_u:object_r:pegasus_var_run_t,s0)
 +#openlmi agents
 +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
 +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
 +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0)
 +/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0)
@@ -52684,7 +52735,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..71ab12b 100644
+index 7bcf327..b6885d4 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -52708,7 +52759,7 @@ index 7bcf327..71ab12b 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,196 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,199 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -52722,6 +52773,7 @@ index 7bcf327..71ab12b 100644
 +type pegasus_openlmi_storage_tmp_t;
 +files_tmp_file(pegasus_openlmi_storage_tmp_t)
 +
++pegasus_openlmi_domain_template(system)
 +pegasus_openlmi_domain_template(unconfined)
 +
 +#######################################
@@ -52739,6 +52791,8 @@ index 7bcf327..71ab12b 100644
 +corecmd_exec_bin(pegasus_openlmi_domain)
 +corecmd_exec_shell(pegasus_openlmi_domain)
 +
++dev_read_sysfs(pegasus_openlmi_domain)
++
 +auth_read_passwd(pegasus_openlmi_domain)
 +
 +sysnet_read_config(pegasus_openlmi_domain)
@@ -52910,7 +52964,7 @@ index 7bcf327..71ab12b 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +229,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +232,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -52941,7 +52995,7 @@ index 7bcf327..71ab12b 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +255,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +258,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -52974,7 +53028,7 @@ index 7bcf327..71ab12b 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,6 +283,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +286,7 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -52982,7 +53036,7 @@ index 7bcf327..71ab12b 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +298,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +301,25 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -53014,7 +53068,7 @@ index 7bcf327..71ab12b 100644
  ')
  
  optional_policy(`
-@@ -151,16 +328,24 @@ optional_policy(`
+@@ -151,16 +331,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53043,7 +53097,7 @@ index 7bcf327..71ab12b 100644
  ')
  
  optional_policy(`
-@@ -168,7 +353,7 @@ optional_policy(`
+@@ -168,7 +356,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -61785,7 +61839,7 @@ index 4ecda09..8c0b242 100644
 +/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
 +/var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)
 diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..7c5c5fb 100644
+index 7cb8b1f..46650f0 100644
 --- a/puppet.if
 +++ b/puppet.if
 @@ -1,4 +1,32 @@
@@ -61813,11 +61867,11 @@ index 7cb8b1f..7c5c5fb 100644
 +#
 +interface(`puppet_domtrans_master',`
 +	gen_require(`
-+		type puppet_master_t, puppet_master_exec_t;
++		type puppetmaster_t, puppetmaster_t_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
-+	domtrans_pattern($1, puppet_master_exec_t, puppet_master_t)
++	domtrans_pattern($1, puppetmaster_t_exec_t, puppetmaster_t)
 +')
  
  ########################################
@@ -84304,7 +84358,7 @@ index 42946bc..3d30062 100644
 +	can_exec($1, telepathy_executable)
  ')
 diff --git a/telepathy.te b/telepathy.te
-index e9c0964..20a31da 100644
+index e9c0964..91c1898 100644
 --- a/telepathy.te
 +++ b/telepathy.te
 @@ -1,29 +1,28 @@
@@ -84805,7 +84859,7 @@ index e9c0964..20a31da 100644
  optional_policy(`
  	xserver_read_xdm_pid(telepathy_sunshine_t)
  	xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,39 @@ optional_policy(`
+@@ -452,31 +382,40 @@ optional_policy(`
  
  #######################################
  #
@@ -84844,6 +84898,7 @@ index e9c0964..20a31da 100644
  optional_policy(`
 +	gnome_read_generic_cache_files(telepathy_domain)
 +	gnome_write_generic_cache_files(telepathy_domain)
++    gnome_filetrans_config_home_content(telepathy_domain)
 +')
 +
 +optional_policy(`
@@ -94718,7 +94773,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..4dec288 100644
+index 46e4cd3..dea93eb 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
@@ -94730,7 +94785,23 @@ index 46e4cd3..4dec288 100644
  ##	Determine whether zabbix can
  ##	connect to all TCP ports
  ##	</p>
-@@ -95,12 +95,8 @@ corecmd_exec_shell(zabbix_t)
+@@ -52,11 +52,10 @@ allow zabbix_t self:sem create_sem_perms;
+ allow zabbix_t self:shm create_shm_perms;
+ allow zabbix_t self:tcp_socket create_stream_socket_perms;
+ 
+-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
+-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
++manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
++manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
++logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file })
+ 
+ manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
+ manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
+@@ -95,12 +94,8 @@ corecmd_exec_shell(zabbix_t)
  
  dev_read_urand(zabbix_t)
  
@@ -94743,7 +94814,7 @@ index 46e4cd3..4dec288 100644
  zabbix_agent_tcp_connect(zabbix_t)
  
  tunable_policy(`zabbix_can_network',`
-@@ -110,12 +106,11 @@ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +105,11 @@ tunable_policy(`zabbix_can_network',`
  ')
  
  optional_policy(`
@@ -94758,7 +94829,7 @@ index 46e4cd3..4dec288 100644
  ')
  
  optional_policy(`
-@@ -125,6 +120,7 @@ optional_policy(`
+@@ -125,6 +119,7 @@ optional_policy(`
  
  optional_policy(`
  	snmp_read_snmp_var_lib_files(zabbix_t)
@@ -94766,7 +94837,7 @@ index 46e4cd3..4dec288 100644
  ')
  
  ########################################
-@@ -133,7 +129,7 @@ optional_policy(`
+@@ -133,17 +128,14 @@ optional_policy(`
  #
  
  allow zabbix_agent_t self:capability { setuid setgid };
@@ -94775,7 +94846,27 @@ index 46e4cd3..4dec288 100644
  allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
  allow zabbix_agent_t self:sem create_sem_perms;
  allow zabbix_agent_t self:shm create_shm_perms;
-@@ -182,7 +178,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+ allow zabbix_agent_t self:tcp_socket { accept listen };
+ allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+ 
+-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+-filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
++manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+ 
+ rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -154,6 +146,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+ kernel_read_all_sysctls(zabbix_agent_t)
+ kernel_read_system_state(zabbix_agent_t)
+ 
++corecmd_exec_shell(zabbix_agent_t)
++corecmd_exec_bin(zabbix_agent_t)
+ corecmd_read_all_executables(zabbix_agent_t)
+ 
+ corenet_all_recvfrom_unlabeled(zabbix_agent_t)
+@@ -182,7 +176,6 @@ domain_search_all_domains_state(zabbix_agent_t)
  files_getattr_all_dirs(zabbix_agent_t)
  files_getattr_all_files(zabbix_agent_t)
  files_read_all_symlinks(zabbix_agent_t)
@@ -94783,14 +94874,20 @@ index 46e4cd3..4dec288 100644
  
  fs_getattr_all_fs(zabbix_agent_t)
  
-@@ -190,7 +185,6 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,8 +183,11 @@ init_read_utmp(zabbix_agent_t)
  
  logging_search_logs(zabbix_agent_t)
  
 -miscfiles_read_localization(zabbix_agent_t)
- 
+-
  sysnet_dns_name_resolve(zabbix_agent_t)
  
+ zabbix_tcp_connect(zabbix_agent_t)
++
++optional_policy(`
++	hostname_exec(zabbix_agent_t)
++')
++
 diff --git a/zarafa.fc b/zarafa.fc
 index faf99ed..a451e97 100644
 --- a/zarafa.fc

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 67%{?dist}
+Release: 68%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -538,6 +538,17 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68
+- Allow xdm_t to act as a dbus client to itsel
+- Allow fetchmail to resolve host names
+- Allow gnupg apps to write to pcscd socket
+- Add labeling for cmpiLMI_Fan-cimprovagt
+- Allow net_admin for glusterd
+- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
+- Add pegasus_openlmi_system_t
+- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
+-httpd_t does access_check on certs
+
 * Fri Jul 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-67
 - Add support for cmpiLMI_Service-cimprovagt
 - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t