diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index d55f6ddc..5d1b2ab6 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -124,3 +124,21 @@ interface(`firstboot_rw_pipes',`
allow $1 firstboot_t:fifo_file { read write };
')
+
+########################################
+##
+## Do not audit attemps to read and write to a firstboot unnamed pipe.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`firstboot_dontaudit_rw_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:fifo_file { read write };
+')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index fcc2128d..9362210c 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.3.0)
+policy_module(firstboot,1.3.1)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index 65772725..54ccd8d1 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
-policy_module(kudzu,1.3.1)
+policy_module(kudzu,1.3.2)
########################################
#
@@ -22,7 +22,7 @@ files_pid_file(kudzu_var_run_t)
#
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability sys_tty_config;
+dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index e318417d..9e35883c 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
-policy_module(logwatch,1.3.1)
+policy_module(logwatch,1.3.2)
#################################
#
@@ -30,6 +30,7 @@ allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+allow logwatch_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
@@ -76,6 +77,7 @@ libs_use_shared_libs(logwatch_t)
libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
+logging_send_syslog_msg(logwatch_t)
miscfiles_read_localization(logwatch_t)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 864395b9..d433fa27 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -3,6 +3,90 @@
## Contains the initial SIDs for network objects.
##
+########################################
+##
+## Define type to be a network port type
+##
+##
+##
+## Define type to be a network port type
+##
+##
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Type to be used for network ports.
+##
+##
+#
+interface(`corenet_port',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ typeattribute $1 port_type;
+')
+
+########################################
+##
+## Define network type to be a reserved port (lt 1024)
+##
+##
+##
+## Define network type to be a reserved port (lt 1024)
+##
+##
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Type to be used for network ports.
+##
+##
+#
+interface(`corenet_reserved_port',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ typeattribute $1 reserved_port_type;
+')
+
+########################################
+##
+## Define network type to be a rpc port ( 512 lt PORT lt 1024)
+##
+##
+##
+## Define network type to be a rpc port ( 512 lt PORT lt 1024)
+##
+##
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Type to be used for network ports.
+##
+##
+#
+interface(`corenet_rpc_port',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ typeattribute $1 rpc_port_type;
+')
+
########################################
##
## Send and receive TCP network traffic on the generic interfaces.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 140e4ae1..2b67c129 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.4)
+policy_module(corenetwork,1.2.5)
########################################
#
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 4d1557c3..9d06f766 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -1,5 +1,5 @@
-policy_module(ccs,1.0.3)
+policy_module(ccs,1.0.4)
########################################
#
@@ -10,10 +10,14 @@ type ccs_t;
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
-# pid files
+# conf files
type cluster_conf_t;
files_type(cluster_conf_t)
+# tmp files
+type ccs_tmp_t;
+files_tmp_file(ccs_tmp_t)
+
# log files
type ccs_var_log_t;
logging_log_file(ccs_var_log_t)
@@ -45,6 +49,12 @@ allow ccs_t self:socket create_socket_perms;
manage_files_pattern(ccs_t,cluster_conf_t,cluster_conf_t)
+# tmp file
+allow ccs_t ccs_tmp_t:dir manage_dir_perms;
+manage_dirs_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t)
+manage_files_pattern(ccs_t,ccs_tmp_t,ccs_tmp_t)
+files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+
# log files
manage_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index a559e2b4..b5fb28cd 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.2.1)
+policy_module(cyrus,1.2.2)
########################################
#
@@ -111,6 +111,7 @@ userdom_use_unpriv_users_fds(cyrus_t)
userdom_use_sysadm_ptys(cyrus_t)
mta_manage_spool(cyrus_t)
+mta_send_mail(cyrus_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(cyrus_t)
@@ -122,6 +123,10 @@ optional_policy(`
cron_system_entry(cyrus_t,cyrus_exec_t)
')
+optional_policy(`
+ kerberos_use(cyrus_t)
+')
+
optional_policy(`
ldap_stream_connect(cyrus_t)
')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index f85badef..302931eb 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.5.3)
+policy_module(networkmanager,1.5.4)
########################################
#
@@ -22,7 +22,7 @@ files_pid_file(NetworkManager_var_run_t)
# and it receives a unexpected signal (rh bug #204161)
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
+allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 9cdb6b92..aefa4fe4 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp,1.2.1)
+policy_module(ntp,1.2.2)
########################################
#
@@ -129,6 +129,7 @@ optional_policy(`
optional_policy(`
firstboot_dontaudit_use_fds(ntpd_t)
+ firstboot_dontaudit_rw_pipes(ntpd_t)
')
optional_policy(`