diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 402d0ff0..f75f5e3e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..e0fc276 100644
+index 1d732f1..1a53101 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -2784,6 +2784,15 @@ index 1d732f1..e0fc276 100644
  auth_relabel_shadow(groupadd_t)
  auth_etc_filetrans_shadow(groupadd_t)
  
+@@ -273,7 +297,7 @@ optional_policy(`
+ # Passwd local policy
+ #
+ 
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
+ dontaudit passwd_t self:capability sys_tty_config;
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
 @@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
  allow passwd_t self:sem create_sem_perms;
  allow passwd_t self:msgq create_msgq_perms;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index dbef4b09..fc9620c8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4786,10 +4786,10 @@ index f6eb485..51b128e 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..7954b3b 100644
+index 6649962..1f527f5 100644
 --- a/apache.te
 +++ b/apache.te
-@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
+@@ -5,280 +5,325 @@ policy_module(apache, 2.7.2)
  # Declarations
  #
  
@@ -4810,39 +4810,40 @@ index 6649962..7954b3b 100644
  ## </desc>
 -gen_tunable(allow_httpd_anon_write, false)
 +gen_tunable(httpd_anon_write, false)
++
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can use mod_auth_pam.
 -##	</p>
 +## <p>
-+## Allow Apache to use mod_auth_pam
++## Dontaudit Apache to search dirs.
 +## </p>
  ## </desc>
 -gen_tunable(allow_httpd_mod_auth_pam, false)
-+gen_tunable(httpd_mod_auth_pam, false)
++gen_tunable(httpd_dontaudit_search_dirs, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can use built in scripting.
 -##	</p>
 +## <p>
-+## Allow Apache to use mod_auth_ntlm_winbind
++## Allow Apache to use mod_auth_pam
 +## </p>
  ## </desc>
 -gen_tunable(httpd_builtin_scripting, false)
-+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++gen_tunable(httpd_mod_auth_pam, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can check spam.
 -##	</p>
 +## <p>
-+## Allow httpd scripts and modules execmem/execstack
++## Allow Apache to use mod_auth_ntlm_winbind
 +## </p>
  ## </desc>
 -gen_tunable(httpd_can_check_spam, false)
-+gen_tunable(httpd_execmem, false)
++gen_tunable(httpd_mod_auth_ntlm_winbind, false)
  
  ## <desc>
 -##	<p>
@@ -4850,6 +4851,13 @@ index 6649962..7954b3b 100644
 -##	can connect to the network using TCP.
 -##	</p>
 +## <p>
++## Allow httpd scripts and modules execmem/execstack
++## </p>
++## </desc>
++gen_tunable(httpd_execmem, false)
++
++## <desc>
++## <p>
 +## Allow httpd processes to manage IPA content
 +## </p>
 +## </desc>
@@ -5255,7 +5263,7 @@ index 6649962..7954b3b 100644
  
  type httpd_initrc_exec_t;
  init_script_file(httpd_initrc_exec_t)
-@@ -286,15 +323,35 @@ init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +331,35 @@ init_script_file(httpd_initrc_exec_t)
  type httpd_keytab_t;
  files_type(httpd_keytab_t)
  
@@ -5291,7 +5299,7 @@ index 6649962..7954b3b 100644
  type httpd_rotatelogs_t;
  type httpd_rotatelogs_exec_t;
  init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +359,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +367,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
  type httpd_squirrelmail_t;
  files_type(httpd_squirrelmail_t)
  
@@ -5304,7 +5312,7 @@ index 6649962..7954b3b 100644
  type httpd_suexec_exec_t;
  domain_type(httpd_suexec_t)
  domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +369,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +377,19 @@ role system_r types httpd_suexec_t;
  type httpd_suexec_tmp_t;
  files_tmp_file(httpd_suexec_tmp_t)
  
@@ -5327,7 +5335,7 @@ index 6649962..7954b3b 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -324,14 +389,21 @@ files_tmp_file(httpd_tmp_t)
+@@ -324,14 +397,21 @@ files_tmp_file(httpd_tmp_t)
  type httpd_tmpfs_t;
  files_tmpfs_file(httpd_tmpfs_t)
  
@@ -5350,7 +5358,7 @@ index 6649962..7954b3b 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +426,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
  typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
  typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
  
@@ -5401,7 +5409,7 @@ index 6649962..7954b3b 100644
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
  allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +460,38 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +468,38 @@ allow httpd_t self:shm create_shm_perms;
  allow httpd_t self:sem create_sem_perms;
  allow httpd_t self:msgq create_msgq_perms;
  allow httpd_t self:msg { send receive };
@@ -5445,7 +5453,7 @@ index 6649962..7954b3b 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,14 +499,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  
@@ -5467,7 +5475,7 @@ index 6649962..7954b3b 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +544,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +552,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5533,7 +5541,7 @@ index 6649962..7954b3b 100644
 -fs_search_auto_mountpoints(httpd_t)
 +fs_rw_anon_inodefs_files(httpd_t)
 +fs_read_hugetlbfs_files(httpd_t)
- 
++
 +auth_use_nsswitch(httpd_t)
 +
 +application_exec_all(httpd_t)
@@ -5544,7 +5552,7 @@ index 6649962..7954b3b 100644
 +
 +domain_use_interactive_fds(httpd_t)
 +domain_dontaudit_read_all_domains_state(httpd_t)
-+
+ 
 +files_dontaudit_search_all_pids(httpd_t)
  files_dontaudit_getattr_all_pids(httpd_t)
 -files_read_usr_files(httpd_t)
@@ -5609,16 +5617,20 @@ index 6649962..7954b3b 100644
  
 -ifdef(`hide_broken_symptoms',`
 -	libs_exec_lib_files(httpd_t)
++tunable_policy(`httpd_dontaudit_search_dirs',`
++    files_dontaudit_search_non_security_dirs(httpd_t)
+ ')
+ 
+-tunable_policy(`allow_httpd_anon_write',`
+-	miscfiles_manage_public_files(httpd_t)
 +#
 +# We need optionals to be able to be within booleans to make this work
 +#
 +tunable_policy(`httpd_mod_auth_pam',`
 +	auth_domtrans_chkpwd(httpd_t)
 +	logging_send_audit_msgs(httpd_t)
- ')
- 
--tunable_policy(`allow_httpd_anon_write',`
--	miscfiles_manage_public_files(httpd_t)
++')
++
 +optional_policy(`
 +	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
 +		samba_domtrans_winbind_helper(httpd_t)
@@ -5701,7 +5713,7 @@ index 6649962..7954b3b 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +716,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +728,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5761,7 +5773,7 @@ index 6649962..7954b3b 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +768,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +780,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -5813,12 +5825,8 @@ index 6649962..7954b3b 100644
 -	tunable_policy(`httpd_can_network_connect_zabbix',`
 -		zabbix_tcp_connect(httpd_t)
 -	')
-+tunable_policy(`httpd_use_cifs',`
-+	fs_manage_cifs_dirs(httpd_t)
-+	fs_manage_cifs_files(httpd_t)
-+	fs_manage_cifs_symlinks(httpd_t)
- ')
- 
+-')
+-
 -optional_policy(`
 -	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
 -		spamassassin_domtrans_client(httpd_t)
@@ -5841,8 +5849,12 @@ index 6649962..7954b3b 100644
 -	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
 -		samba_domtrans_winbind_helper(httpd_t)
 -	')
--')
--
++tunable_policy(`httpd_use_cifs',`
++	fs_manage_cifs_dirs(httpd_t)
++	fs_manage_cifs_files(httpd_t)
++	fs_manage_cifs_symlinks(httpd_t)
+ ')
+ 
 -tunable_policy(`httpd_read_user_content',`
 -	userdom_read_user_home_content_files(httpd_t)
 +tunable_policy(`httpd_use_fusefs',`
@@ -5852,7 +5864,7 @@ index 6649962..7954b3b 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -695,66 +815,56 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,66 +827,56 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5873,10 +5885,8 @@ index 6649962..7954b3b 100644
 -	userdom_use_user_terminals(httpd_t)
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_t)
-+	userdom_use_inherited_user_terminals(httpd_t)
-+	userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
- 
+-')
+-
 -tunable_policy(`httpd_use_cifs',`
 -	fs_list_auto_mountpoints(httpd_t)
 -	fs_manage_cifs_dirs(httpd_t)
@@ -5893,8 +5903,10 @@ index 6649962..7954b3b 100644
 -	fs_manage_fusefs_dirs(httpd_t)
 -	fs_manage_fusefs_files(httpd_t)
 -	fs_read_fusefs_symlinks(httpd_t)
--')
--
++	userdom_use_inherited_user_terminals(httpd_t)
++	userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+ 
 -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 -	fs_exec_fusefs_files(httpd_t)
 -')
@@ -5950,7 +5962,7 @@ index 6649962..7954b3b 100644
  ')
  
  optional_policy(`
-@@ -770,6 +880,23 @@ optional_policy(`
+@@ -770,6 +892,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5974,7 +5986,7 @@ index 6649962..7954b3b 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -786,35 +913,55 @@ optional_policy(`
+@@ -786,35 +925,55 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6043,7 +6055,7 @@ index 6649962..7954b3b 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +969,18 @@ optional_policy(`
+@@ -822,8 +981,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6062,7 +6074,7 @@ index 6649962..7954b3b 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +989,7 @@ optional_policy(`
+@@ -832,6 +1001,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6070,7 +6082,7 @@ index 6649962..7954b3b 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1000,39 @@ optional_policy(`
+@@ -842,20 +1012,39 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6116,7 +6128,7 @@ index 6649962..7954b3b 100644
  ')
  
  optional_policy(`
-@@ -863,19 +1040,35 @@ optional_policy(`
+@@ -863,19 +1052,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6152,7 +6164,7 @@ index 6649962..7954b3b 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -883,65 +1076,173 @@ optional_policy(`
+@@ -883,65 +1088,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6225,10 +6237,11 @@ index 6649962..7954b3b 100644
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 +	userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+ 
+ ########################################
+ #
+-# Suexec local policy
 +# Apache PHP script local policy
 +#
 +
@@ -6287,11 +6300,10 @@ index 6649962..7954b3b 100644
 +	tunable_policy(`httpd_can_network_connect_db',`
 +		postgresql_tcp_connect(httpd_php_t)
 +	')
- ')
- 
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
 +# Apache suexec local policy
  #
  
@@ -6348,7 +6360,7 @@ index 6649962..7954b3b 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1251,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1263,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6503,7 +6515,7 @@ index 6649962..7954b3b 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1335,106 @@ optional_policy(`
+@@ -1083,172 +1347,106 @@ optional_policy(`
  	')
  ')
  
@@ -6528,11 +6540,11 @@ index 6649962..7954b3b 100644
 -
 -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
- 
+-
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
--
++allow httpd_sys_script_t self:process getsched;
+ 
 -corenet_all_recvfrom_unlabeled(httpd_script_domains)
 -corenet_all_recvfrom_netlabel(httpd_script_domains)
 -corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6621,15 +6633,6 @@ index 6649962..7954b3b 100644
 -	corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
 -	corenet_tcp_connect_oracledb_port(httpd_script_domains)
 -	corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
--')
--
--optional_policy(`
--	mysql_read_config(httpd_script_domains)
--	mysql_stream_connect(httpd_script_domains)
--
--	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
--		mysql_tcp_connect(httpd_script_domains)
--	')
 +tunable_policy(`httpd_can_network_connect_db',`
 +	corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
 +	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
@@ -6639,12 +6642,21 @@ index 6649962..7954b3b 100644
  ')
  
 -optional_policy(`
--	postgresql_stream_connect(httpd_script_domains)
+-	mysql_read_config(httpd_script_domains)
+-	mysql_stream_connect(httpd_script_domains)
+-
+-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+-		mysql_tcp_connect(httpd_script_domains)
+-	')
+-')
 +fs_cifs_entry_type(httpd_sys_script_t)
 +fs_read_iso9660_files(httpd_sys_script_t)
 +fs_nfs_entry_type(httpd_sys_script_t)
 +fs_rw_anon_inodefs_files(httpd_sys_script_t)
  
+-optional_policy(`
+-	postgresql_stream_connect(httpd_script_domains)
+-
 -	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
 -		postgresql_tcp_connect(httpd_script_domains)
 -	')
@@ -6681,7 +6693,8 @@ index 6649962..7954b3b 100644
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 -allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
 -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -kernel_read_kernel_sysctls(httpd_sys_script_t)
 -
 -fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -6701,8 +6714,7 @@ index 6649962..7954b3b 100644
 -	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
 -	corenet_tcp_connect_pop_port(httpd_sys_script_t)
 -	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -	mta_send_mail(httpd_sys_script_t)
 -	mta_signal_system_mail(httpd_sys_script_t)
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6740,7 +6752,7 @@ index 6649962..7954b3b 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1442,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1454,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -6837,7 +6849,7 @@ index 6649962..7954b3b 100644
  
  ########################################
  #
-@@ -1321,8 +1517,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1529,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -6854,7 +6866,7 @@ index 6649962..7954b3b 100644
  ')
  
  ########################################
-@@ -1330,49 +1533,38 @@ optional_policy(`
+@@ -1330,49 +1545,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -6919,7 +6931,7 @@ index 6649962..7954b3b 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1574,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1586,100 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -25291,7 +25303,7 @@ index 50d0084..94e1936 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..91d4dfb 100644
+index cf0e567..fed8792 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -25368,7 +25380,7 @@ index cf0e567..91d4dfb 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -131,22 +144,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +144,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -25398,6 +25410,10 @@ index cf0e567..91d4dfb 100644
 -
  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
  userdom_use_user_terminals(fail2ban_client_t)
++
++optional_policy(`
++    apache_read_log(fail2ban_client_t)
++')
 diff --git a/fcoe.te b/fcoe.te
 index ce358fb..aabd04f 100644
 --- a/fcoe.te
@@ -27102,10 +27118,10 @@ index 0000000..9e17d3e
 +')
 diff --git a/geoclue.te b/geoclue.te
 new file mode 100644
-index 0000000..64faa9e
+index 0000000..1fb8bd5
 --- /dev/null
 +++ b/geoclue.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,45 @@
 +policy_module(geoclue, 1.0.0)
 +
 +########################################
@@ -27121,6 +27137,9 @@ index 0000000..64faa9e
 +type geoclue_var_lib_t;
 +files_type(geoclue_var_lib_t)
 +
++type geoclue_tmp_t;
++files_tmp_file(geoclue_tmp_t)
++
 +########################################
 +#
 +# geoclue local policy
@@ -27131,6 +27150,10 @@ index 0000000..64faa9e
 +manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
 +files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
 +
++manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
++manage_dirss_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
++files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
++
 +corenet_tcp_connect_http_port(geoclue_t)
 +
 +corecmd_exec_bin(geoclue_t)
@@ -80608,10 +80631,10 @@ index 7fb75f4..27f5e22 100644
 +userdom_getattr_user_terminals(rwho_t)
 +
 diff --git a/samba.fc b/samba.fc
-index b8b66ff..2ccac49 100644
+index b8b66ff..d1fa967 100644
 --- a/samba.fc
 +++ b/samba.fc
-@@ -1,42 +1,54 @@
+@@ -1,42 +1,55 @@
 -/etc/rc\.d/init\.d/nmb	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/smb	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
 +
@@ -80637,6 +80660,7 @@ index b8b66ff..2ccac49 100644
 +#
 +/usr/lib/systemd/system/smb.* 	--	gen_context(system_u:object_r:samba_unit_file_t,s0)
 +/usr/lib/systemd/system/nmb.*   --      gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/winbind.*   --  gen_context(system_u:object_r:samba_unit_file_t,s0)
  
 -/usr/bin/net	--	gen_context(system_u:object_r:samba_net_exec_t,s0)
 -/usr/bin/ntlm_auth	--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
@@ -80692,7 +80716,7 @@ index b8b66ff..2ccac49 100644
  /var/run/samba/messages\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
  /var/run/samba/namelist\.debug	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
  /var/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
-@@ -45,7 +57,11 @@
+@@ -45,7 +58,11 @@
  /var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
  /var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
  
@@ -100334,10 +100358,10 @@ index 0000000..044be2f
 +')
 diff --git a/vmtools.te b/vmtools.te
 new file mode 100644
-index 0000000..b4d2dac
+index 0000000..1398ead
 --- /dev/null
 +++ b/vmtools.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,44 @@
 +policy_module(vmtools, 1.0.0)
 +
 +########################################
@@ -100377,6 +100401,8 @@ index 0000000..b4d2dac
 +dev_read_urand(vmtools_t)
 +dev_getattr_all_blk_files(vmtools_t)
 +
++fs_getattr_all_fs(vmtools_t)
++
 +auth_use_nsswitch(vmtools_t)
 +
 +logging_send_syslog_msg(vmtools_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d2c5efd5..be21a00a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Jan 30 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-20
+- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
+- Allow geoclue to create temporary files/dirs in /tmp
+- Add httpd_dontaudit_search_dirs boolean
+- Add support for winbind.service
+- ALlow also fail2ban-client to read apache logs
+- Allow vmtools to getattr on all fs
+
 * Tue Jan 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-19
 - Add net_admin also for systemd_passwd_agent_t
 - Allow Associate usermodehelper_t to sysfs filesystem