diff --git a/aiccu.te b/aiccu.te

index 6e4206c..a9039ce 100644

--- a/aiccu.te

+++ b/aiccu.te

@@ -69,6 +69,10 @@ optional_policy(`

 ')

 optional_policy(`

+    pcscd_stream_connect(aiccu_t)

+')

+

+optional_policy(`

 	sysnet_dns_name_resolve(aiccu_t)

 	sysnet_domtrans_ifconfig(aiccu_t)

 ')

diff --git a/antivirus.te b/antivirus.te

index 8ba9c95..83590aa 100644

--- a/antivirus.te

+++ b/antivirus.te

@@ -37,7 +37,7 @@ typealias antivirus_unit_file_t alias { clamd_unit_file_t };

 systemd_unit_file(antivirus_unit_file_t)

 type antivirus_conf_t;

-typealias antivirus_conf_t alias { clamd_etc_t };

+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };

 files_config_file(antivirus_conf_t)

 type antivirus_var_run_t;

@@ -166,6 +166,7 @@ dev_read_urand(antivirus_domain)

 domain_dontaudit_read_all_domains_state(antivirus_domain)

+files_dontaudit_read_security_files(antivirus_domain)

 files_read_etc_runtime_files(antivirus_domain)

 files_search_spool(antivirus_domain)

@@ -190,8 +191,6 @@ userdom_dontaudit_search_user_home_dirs(antivirus_domain)

 tunable_policy(`antivirus_can_scan_system',`

 	files_read_non_security_files(antivirus_domain)

-    #files_dontaudit_read_all_non_security_files(antivirus_domain)

-    files_dontaudit_read_security_files(antivirus_domain)

 	files_getattr_all_pipes(antivirus_domain)

 	files_getattr_all_sockets(antivirus_domain)

     dev_getattr_all_blk_files(antivirus_domain)

diff --git a/apache.fc b/apache.fc

index 43bb1c9..b903cc0 100644

--- a/apache.fc

+++ b/apache.fc

@@ -133,6 +133,7 @@ ifdef(`distro_suse', `

 /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)

 /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)

 /var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)

+/var/log/horizon(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)

 /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)

 /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)

 /var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)

diff --git a/apache.if b/apache.if

index 64beed7..9426db5 100644

--- a/apache.if

+++ b/apache.if

@@ -74,6 +74,8 @@ template(`apache_content_template',`

 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

+    allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };

+

 	# Allow the web server to run scripts and serve pages

 	tunable_policy(`httpd_builtin_scripting',`

 		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

diff --git a/apache.te b/apache.te

index 21d7195..bce7760 100644

--- a/apache.te

+++ b/apache.te

@@ -474,7 +474,7 @@ role system_r types httpd_passwd_t;

 # Apache server local policy

 #

-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };

+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };

 dontaudit httpd_t self:capability { net_admin sys_tty_config };

 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };

 allow httpd_t self:fd use;

@@ -510,6 +510,7 @@ allow httpd_t httpd_log_t:dir setattr;

 create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)

 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)

 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)

+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)

 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)

 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)

 # cjp: need to refine create interfaces to

@@ -1035,6 +1036,7 @@ optional_policy(`

 optional_policy(`

 	passenger_exec(httpd_t)

+	passenger_kill(httpd_t)

 	passenger_manage_pid_content(httpd_t)

 ')

@@ -1649,7 +1651,7 @@ allow httpd_t httpd_script_type:unix_stream_socket connectto;

 allow httpd_t httpd_script_exec_type:file read_file_perms;

 allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;

-allow httpd_t httpd_script_type:process { signal sigkill sigstop };

+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };

 allow httpd_t httpd_script_exec_type:dir list_dir_perms;

 allow httpd_script_type self:process { setsched signal_perms };

@@ -1660,6 +1662,7 @@ allow httpd_script_type httpd_t:fd use;

 allow httpd_script_type httpd_t:process sigchld;

 dontaudit httpd_script_type httpd_t:tcp_socket { read write };

+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };

 fs_getattr_xattr_fs(httpd_script_type)

diff --git a/apcupsd.te b/apcupsd.te

index a370cb8..5206035 100644

--- a/apcupsd.te

+++ b/apcupsd.te

@@ -82,6 +82,8 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)

 dev_rw_generic_usb_dev(apcupsd_t)

+domain_signull_all_domains(apcupsd_t)

+

 files_manage_etc_runtime_files(apcupsd_t)

 files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")

diff --git a/automount.te b/automount.te

index f27656d..11dbe9d 100644

--- a/automount.te

+++ b/automount.te

@@ -89,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)

 files_dontaudit_write_var_dirs(automount_t)

 files_getattr_all_dirs(automount_t)

+files_getattr_all_files(automount_t)

 files_getattr_default_dirs(automount_t)

 files_getattr_home_dir(automount_t)

 files_getattr_isid_type_dirs(automount_t)

diff --git a/bind.if b/bind.if

index 6c2dbe4..43b445c 100644

--- a/bind.if

+++ b/bind.if

@@ -408,6 +408,25 @@ interface(`bind_udp_chat_named',`

 ########################################

 ## <summary>

+##	Allow the domain to read bind state files in /proc.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`bind_read_state',`

+	gen_require(`

+		type named_t;

+	')

+

+	kernel_search_proc($1)

+	ps_process_pattern($1, named_t)

+')

+

+########################################

+## <summary>

 ##	All of the rules required to

 ##	administrate an bind environment.

 ## </summary>

diff --git a/chronyd.te b/chronyd.te

index 7d723c0..d0c8001 100644

--- a/chronyd.te

+++ b/chronyd.te

@@ -87,6 +87,7 @@ domain_dontaudit_getsession_all_domains(chronyd_t)

 dev_read_rand(chronyd_t)

 dev_read_urand(chronyd_t)

+dev_read_sysfs(chronyd_t)

 dev_rw_realtime_clock(chronyd_t)

diff --git a/cloudform.te b/cloudform.te

index 786d623..496ce03 100644

--- a/cloudform.te

+++ b/cloudform.te

@@ -270,8 +270,9 @@ files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })

 manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)

 manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)

+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)

 #needed by dbomatic

-files_pid_filetrans(mongod_t, mongod_var_run_t, { file })

+files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })

 corecmd_exec_bin(mongod_t)

 corecmd_exec_shell(mongod_t)

diff --git a/conman.te b/conman.te

index 0de2d4d..d6b0314 100644

--- a/conman.te

+++ b/conman.te

@@ -25,7 +25,7 @@ allow conman_t self:process { setrlimit signal_perms };

 allow conman_t self:fifo_file rw_fifo_file_perms;

 allow conman_t self:unix_stream_socket create_stream_socket_perms;

-allow conman_t self:tcp_socket { listen create_socket_perms };

+allow conman_t self:tcp_socket { accept listen create_socket_perms };

 manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)

 manage_files_pattern(conman_t, conman_log_t, conman_log_t)

@@ -40,6 +40,10 @@ auth_read_passwd(conman_t)

 logging_send_syslog_msg(conman_t)

+sysnet_dns_name_resolve(conman_t)

+

+userdom_use_user_ptys(conman_t)

+

 optional_policy(`

     freeipmi_stream_connect(conman_t)

 ')

diff --git a/cups.fc b/cups.fc

index afe482b..9437dbe 100644

--- a/cups.fc

+++ b/cups.fc

@@ -76,10 +76,14 @@

 /var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)

 /var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)

+/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

 /usr/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)

 /usr/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

-/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

 /usr/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

+/usr/local/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)

+/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

+/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

+

 /usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

diff --git a/dhcp.te b/dhcp.te

index cdb4d60..5d61f10 100644

--- a/dhcp.te

+++ b/dhcp.te

@@ -103,13 +103,26 @@ auth_use_nsswitch(dhcpd_t)

 logging_send_syslog_msg(dhcpd_t)

+sysnet_read_config(dhcpd_t)

 sysnet_read_dhcp_config(dhcpd_t)

 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)

 userdom_dontaudit_search_user_home_dirs(dhcpd_t)

 tunable_policy(`dhcpd_use_ldap',`

-	sysnet_use_ldap(dhcpd_t)

+    allow dhcpd_t self:tcp_socket create_socket_perms;

+')

+

+tunable_policy(`dhcpd_use_ldap',`

+    corenet_tcp_sendrecv_generic_if(dhcpd_t)

+    corenet_tcp_sendrecv_generic_node(dhcpd_t)

+    corenet_tcp_sendrecv_ldap_port(dhcpd_t)

+    corenet_tcp_connect_ldap_port(dhcpd_t)

+    corenet_sendrecv_ldap_client_packets(dhcpd_t)

+')

+

+tunable_policy(`dhcpd_use_ldap',`

+	ldap_read_certs(dhcpd_t)

 ')

 ifdef(`distro_gentoo',`

diff --git a/docker.te b/docker.te

index c80e06c..73e71c1 100644

--- a/docker.te

+++ b/docker.te

@@ -97,6 +97,7 @@ manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)

 manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)

 manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)

 manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)

+allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };

 files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })

 manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)

@@ -135,12 +136,14 @@ files_read_etc_files(docker_t)

 fs_read_cgroup_files(docker_t)

 fs_read_tmpfs_symlinks(docker_t)

+fs_getattr_all_fs(docker_t)

 storage_raw_rw_fixed_disk(docker_t)

 auth_use_nsswitch(docker_t)

 init_read_state(docker_t)

+init_status(docker_t)

 logging_send_audit_msgs(docker_t)

 logging_send_syslog_msg(docker_t)

@@ -220,6 +223,12 @@ term_mounton_unallocated_ttys(docker_t)

 modutils_domtrans_insmod(docker_t)

+systemd_status_all_unit_files(docker_t)

+systemd_start_systemd_services(docker_t)

+

+userdom_stream_connect(docker_t)

+userdom_search_user_home_content(docker_t)

+

 optional_policy(`

 	dbus_system_bus_client(docker_t)

 	init_dbus_chat(docker_t)

diff --git a/drbd.fc b/drbd.fc

index 671a3fb..c781675 100644

--- a/drbd.fc

+++ b/drbd.fc

@@ -3,7 +3,7 @@

 /sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)

 /sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)

-/usr/lib/ocf/resource.\d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)

+/usr/lib/ocf/resource\.d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)

 /usr/sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)

 /usr/sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)

diff --git a/exim.fc b/exim.fc

index dc0254b..9df498d 100644

--- a/exim.fc

+++ b/exim.fc

@@ -3,6 +3,8 @@

 /usr/sbin/exim[0-9]?	--	gen_context(system_u:object_r:exim_exec_t,s0)

 /usr/sbin/exim_tidydb	--	gen_context(system_u:object_r:exim_exec_t,s0)

+/var/lib/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_lib_t,s0)

+

 /var/log/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_log_t,s0)

 /var/run/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_run_t,s0)

diff --git a/exim.if b/exim.if

index ef3b449..4a8d053 100644

--- a/exim.if

+++ b/exim.if

@@ -241,8 +241,46 @@ interface(`exim_manage_spool_files',`

 ########################################

 ## <summary>

-##	All of the rules required to administrate

-##	an exim environment.

+##	Read exim var lib files.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`exim_read_var_lib_files',`

+	gen_require(`

+		type exim_var_lib_t;

+	')

+

+	read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)

+	files_search_var_lib($1)

+')

+

+########################################

+## <summary>

+##	Create, read, and write exim var lib files.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`exim_manage_var_lib_files',`

+	gen_require(`

+		type exim_var_lib_t;

+	')

+

+	manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)

+	files_search_var_lib($1)

+')

+

+########################################

+## <summary>

+##	All of the rules required to

+##	administrate an exim environment.

 ## </summary>

 ## <param name="domain">

 ##	<summary>

@@ -257,8 +295,9 @@ interface(`exim_manage_spool_files',`

 #

 interface(`exim_admin',`

 	gen_require(`

-		type exim_t, exim_initrc_exec_t, exim_log_t;

-		type exim_tmp_t, exim_spool_t, exim_var_run_t;

+		type exim_t, exim_spool_t, exim_log_t;

+		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;

+		type exim_keytab_t;

 	')

 	allow $1 exim_t:process signal_perms;

@@ -273,6 +312,9 @@ interface(`exim_admin',`

 	role_transition $2 exim_initrc_exec_t system_r;

 	allow $2 system_r;

+	files_search_etc($1)

+	admin_pattern($1, exim_keytab_t)

+

 	files_search_spool($1)

 	admin_pattern($1, exim_spool_t)

diff --git a/exim.te b/exim.te

index 3e86b12..5495c90 100644

--- a/exim.te

+++ b/exim.te

@@ -1,4 +1,4 @@

-policy_module(exim, 1.5.4)

+policy_module(exim, 1.6.1)

 ########################################

 #

@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)

 type exim_initrc_exec_t;

 init_script_file(exim_initrc_exec_t)

+type exim_var_lib_t;

+files_type(exim_var_lib_t)

+

 type exim_log_t;

 logging_log_file(exim_log_t)

@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)

 type exim_var_run_t;

 files_pid_file(exim_var_run_t)

+ifdef(`distro_debian',`

+	init_daemon_run_dir(exim_var_run_t, "exim4")

+')

+

 ########################################

 #

 # Local policy

@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;

 allow exim_t self:unix_stream_socket { accept listen };

 allow exim_t self:tcp_socket { accept listen };

+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)

+

 append_files_pattern(exim_t, exim_log_t, exim_log_t)

 create_files_pattern(exim_t, exim_log_t, exim_log_t)

 setattr_files_pattern(exim_t, exim_log_t, exim_log_t)

@@ -88,6 +97,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })

 can_exec(exim_t, exim_exec_t)

+kernel_read_crypto_sysctls(exim_t)

 kernel_read_kernel_sysctls(exim_t)

 kernel_read_network_state(exim_t)

 kernel_read_system_state(exim_t)

@@ -122,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)

 dev_read_rand(exim_t)

 dev_read_urand(exim_t)

+dev_read_sysfs(exim_t)

 domain_use_interactive_fds(exim_t)

@@ -134,6 +145,7 @@ fs_getattr_xattr_fs(exim_t)

 fs_list_inotifyfs(exim_t)

 auth_use_nsswitch(exim_t)

+auth_domtrans_chk_passwd(exim_t)

 logging_send_syslog_msg(exim_t)

@@ -175,6 +187,7 @@ optional_policy(`

 optional_policy(`

 	cron_read_pipes(exim_t)

 	cron_rw_system_job_pipes(exim_t)

+	cron_use_system_job_fds(exim_t)

 ')

 optional_policy(`

@@ -186,7 +199,7 @@ optional_policy(`

 ')

 optional_policy(`

-	kerberos_keytab_template(exim, exim_t)

+    kerberos_keytab_template(exim, exim_t)

 ')

 optional_policy(`

diff --git a/fprintd.te b/fprintd.te

index ed04b9e..72b7712 100644

--- a/fprintd.te

+++ b/fprintd.te

@@ -33,6 +33,8 @@ dev_read_sysfs(fprintd_t)

 dev_read_urand(fprintd_t)

 dev_rw_generic_usb_dev(fprintd_t)

+files_dontaudit_list_tmp(fprintd_t)

+

 fs_getattr_all_fs(fprintd_t)

 auth_use_nsswitch(fprintd_t)

diff --git a/freeipmi.te b/freeipmi.te

index 8071a76..0710d79 100644

--- a/freeipmi.te

+++ b/freeipmi.te

@@ -40,6 +40,7 @@ files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })

 dev_read_rand(freeipmi_domain)

 dev_read_urand(freeipmi_domain)

+dev_rw_ipmi_dev(freeipmi_domain)

 sysnet_dns_name_resolve(freeipmi_domain)

@@ -50,7 +51,6 @@ sysnet_dns_name_resolve(freeipmi_domain)

 files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")

-dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)

 allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;

diff --git a/gear.fc b/gear.fc

index 5eabf35..98c012c 100644

--- a/gear.fc

+++ b/gear.fc

@@ -1,7 +1,7 @@

 /usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)

-/usr/lib/systemd/system/gear.service		--	gen_context(system_u:object_r:gear_unit_file_t,s0)

-

-/var/lib/containers/bin/gear	--	gen_context(system_u:object_r:gear_exec_t,s0)

+/usr/lib/systemd/system/gear.service	--	gen_context(system_u:object_r:gear_unit_file_t,s0)

+/var/lib/containers(/.*)?			gen_context(system_u:object_r:gear_var_lib_t,s0)

+/var/lib/containers/units(/.*)?			gen_context(system_u:object_r:gear_unit_file_t,s0)

 /var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)

diff --git a/gear.te b/gear.te

index 6c32f79..cb68ca9 100644

--- a/gear.te

+++ b/gear.te

@@ -25,11 +25,15 @@ systemd_unit_file(gear_unit_file_t)

 #

 # gear local policy

 #

+allow gear_t self:capability { chown net_admin fowner dac_override };

+allow gear_t self:capability2 block_suspend;

 allow gear_t self:process { getattr signal_perms };

 allow gear_t self:fifo_file rw_fifo_file_perms;

 allow gear_t self:unix_stream_socket create_stream_socket_perms;

 allow gear_t self:tcp_socket create_stream_socket_perms;

+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };

+

 manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)

 manage_files_pattern(gear_t, gear_log_t, gear_log_t)

 manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)

@@ -43,6 +47,7 @@ manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)

 manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)

 manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)

 files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })

+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };

 manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)

 manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)

@@ -56,6 +61,7 @@ kernel_read_all_sysctls(gear_t)

 kernel_rw_net_sysctls(gear_t)

 domain_use_interactive_fds(gear_t)

+domain_read_all_domains_state(gear_t)

 corecmd_exec_bin(gear_t)

 corecmd_exec_shell(gear_t)

@@ -66,6 +72,11 @@ corenet_tcp_sendrecv_generic_node(gear_t)

 corenet_tcp_sendrecv_generic_port(gear_t)

 corenet_tcp_bind_gear_port(gear_t)

+dev_mounton_sysfs(gear_t)

+dev_mount_sysfs_fs(gear_t)

+dev_unmount_sysfs_fs(gear_t)

+

+files_mounton_rootfs(gear_t)

 files_read_etc_files(gear_t)

 fs_read_cgroup_files(gear_t)

@@ -75,6 +86,9 @@ auth_use_nsswitch(gear_t)

 init_read_state(gear_t)

 init_dbus_chat(gear_t)

+init_enable_services(gear_t)

+

+iptables_domtrans(gear_t)

 logging_send_audit_msgs(gear_t)

 logging_send_syslog_msg(gear_t)

@@ -87,8 +101,25 @@ seutil_read_default_contexts(gear_t)

 sysnet_dns_name_resolve(gear_t)

+sysnet_exec_ifconfig(gear_t)

+sysnet_manage_ifconfig_run(gear_t)

+

 systemd_manage_all_unit_files(gear_t)

 optional_policy(`

+	hostname_exec(gear_t)

+')

+

+optional_policy(`

+	dbus_system_bus_client(gear_t)

+')

+

+optional_policy(`

 	docker_stream_connect(gear_t)

 ')

+

+optional_policy(`

+	openshift_manage_lib_dirs(gear_t)

+	openshift_manage_lib_files(gear_t)

+	openshift_relabelfrom_lib(gear_t)

+')

diff --git a/glance.fc b/glance.fc

index c21a528..a746a2b 100644

--- a/glance.fc

+++ b/glance.fc

@@ -1,8 +1,14 @@

 /etc/rc\.d/init\.d/openstack-glance-api	--	gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)

 /etc/rc\.d/init\.d/openstack-glance-registry	--	gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)

+/etc/rc\.d/init\.d/openstack-glance-scrubber	--	gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)

-/usr/bin/glance-api	--	gen_context(system_u:object_r:glance_api_exec_t,s0)

+/usr/lib/systemd/system/openstack-glance-api.*              --  gen_context(system_u:object_r:glance_api_unit_file_t,s0)

+/usr/lib/systemd/system/openstack-glance-registry.*         --  gen_context(system_u:object_r:glance_registry_unit_file_t,s0)

+/usr/lib/systemd/system/openstack-glance-scrubber.*         --  gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)

+

+/usr/bin/glance-api	        --	gen_context(system_u:object_r:glance_api_exec_t,s0)

 /usr/bin/glance-registry	--	gen_context(system_u:object_r:glance_registry_exec_t,s0)

+/usr/bin/glance-scrubber    --  gen_context(system_u:object_r:glance_scrubber_exec_t,s0)

 /var/lib/glance(/.*)?	gen_context(system_u:object_r:glance_var_lib_t,s0)

diff --git a/glance.if b/glance.if

index 229782f..2f3fa34 100644

--- a/glance.if

+++ b/glance.if

@@ -19,10 +19,16 @@ template(`glance_basic_types_template',`

 	type $1_t, glance_domain;

 	type $1_exec_t;

+    type $1_unit_file_t;

+    systemd_unit_file($1_unit_file_t)

+

 	kernel_read_system_state($1_t)

 	corenet_all_recvfrom_unlabeled($1_t)

 	corenet_all_recvfrom_netlabel($1_t)

+

+    logging_send_syslog_msg($1_t)

+

 ')

 ########################################

diff --git a/glance.te b/glance.te

index 16dcb5b..109dc9b 100644

--- a/glance.te

+++ b/glance.te

@@ -1,10 +1,32 @@

-policy_module(glance, 1.0.2)

+policy_module(glance, 1.1.0)

 ########################################

 #

 # Declarations

 #

+## <desc>

+##  

+##	Determine whether glance-api can

+##	connect to all TCP ports

+##	

+## </desc>

+gen_tunable(glance_api_can_network, false)

+

+## <desc>

+## 

+## Allow glance domain to manage fuse files

+## 

+## </desc>

+gen_tunable(glance_use_fusefs, false)

+

+## <desc>

+## 

+## Allow glance domain to use executable memory and executable stack

+## 

+## </desc>

+gen_tunable(glance_use_execmem, false)

+

 attribute glance_domain;

 glance_basic_types_template(glance_registry)

@@ -25,6 +47,12 @@ init_daemon_domain(glance_api_t, glance_api_exec_t)

 type glance_api_initrc_exec_t;

 init_script_file(glance_api_initrc_exec_t)

+glance_basic_types_template(glance_scrubber)

+init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)

+

+type glance_scrubber_initrc_exec_t;

+init_script_file(glance_scrubber_initrc_exec_t)

+

 type glance_log_t;