diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 8ccf4672..137d2a58 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.16)
+policy_module(corenetwork, 1.2.17)
########################################
#
@@ -109,6 +109,7 @@ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 5d4e608b..57cc7efb 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -1,5 +1,5 @@
-policy_module(qmail, 1.3.0)
+policy_module(qmail, 1.3.1)
########################################
#
@@ -14,7 +14,7 @@ files_type(qmail_alias_home_t)
qmail_child_domain_template(qmail_clean, qmail_start_t)
type qmail_etc_t;
-files_type(qmail_etc_t)
+files_config_file(qmail_etc_t)
type qmail_exec_t;
files_type(qmail_exec_t)
@@ -85,6 +85,8 @@ files_search_var(qmail_inject_t)
libs_use_ld_so(qmail_inject_t)
libs_use_shared_libs(qmail_inject_t)
+miscfiles_read_localization(qmail_inject_t)
+
qmail_read_config(qmail_inject_t)
########################################
@@ -100,17 +102,24 @@ allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+can_exec(qmail_local_t, qmail_local_exec_t)
+
allow qmail_local_t qmail_queue_exec_t:file read;
allow qmail_local_t qmail_spool_t:file read_file_perms;
kernel_read_system_state(qmail_local_t)
+corecmd_exec_bin(qmail_local_t)
corecmd_exec_shell(qmail_local_t)
files_read_etc_files(qmail_local_t)
files_read_etc_runtime_files(qmail_local_t)
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
+
mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
@@ -155,6 +164,10 @@ manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
+
optional_policy(`
daemontools_ipc_domain(qmail_queue_t)
')
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index b84df8eb..e082a558 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -131,6 +131,25 @@ interface(`ipsec_setcontext_default_spd',`
allow $1 ipsec_spd_t:association setcontext;
')
+########################################
+##
+## write the ipsec_var_run_t files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ipsec_write_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
########################################
##
## Create, read, write, and delete the IPSEC pid files.
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 990b691c..f2c3843a 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec, 1.7.0)
+policy_module(ipsec, 1.7.1)
########################################
#
@@ -69,9 +69,9 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
-allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
+manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t)
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
index a5aaa684..405dbe23 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
@@ -1,5 +1,5 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/var/lib/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_var_lib_t,s0)
-/var/lock/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 8b661e8d..4a27e616 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -1,5 +1,5 @@
-policy_module(iscsid,1.4.0)
+policy_module(iscsid, 1.4.1)
########################################
#
@@ -29,7 +29,7 @@ files_pid_file(iscsi_var_run_t)
#
allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process { setrlimit setsched };
+allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow iscsid_t self:unix_dgram_socket create_socket_perms;
@@ -63,6 +63,7 @@ corenet_tcp_sendrecv_all_nodes(iscsid_t)
corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 0c890679..30e139b8 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork, 1.7.0)
+policy_module(sysnetwork, 1.7.1)
########################################
#
@@ -319,6 +319,10 @@ ifdef(`hide_broken_symptoms',`
')
')
+optional_policy(`
+ ipsec_write_pid(ifconfig_t)
+')
+
optional_policy(`
netutils_domtrans(dhcpc_t)
')