diff --git a/SOURCES/policy-rhel-7.0.z-base.patch b/SOURCES/policy-rhel-7.0.z-base.patch
index e229992..2f3752e 100644
--- a/SOURCES/policy-rhel-7.0.z-base.patch
+++ b/SOURCES/policy-rhel-7.0.z-base.patch
@@ -55,7 +55,7 @@ index fc6d1d3..612503a 100644
  	dbus_system_bus_client(sudodomain)
  ')
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 72e1a41..77dedae 100644
+index 72e1a41..26e21b2 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -272,7 +272,7 @@ network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
@@ -67,7 +67,15 @@ index 72e1a41..77dedae 100644
  network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(radsec, tcp,2083,s0)
-@@ -326,6 +326,7 @@ network_port(trisoap, tcp,10200,s0, udp,10200,s0)
+@@ -312,6 +312,7 @@ network_port(stunnel) # no defined portcon
+ network_port(svn, tcp,3690,s0, udp,3690,s0)
+ network_port(svrloc, tcp,427,s0, udp,427,s0)
+ network_port(swat, tcp,901,s0)
++network_port(swift, tcp,6200-6203,s0)
+ network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
+ network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
+ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -326,6 +327,7 @@ network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(ups, tcp,3493,s0)
  network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
@@ -190,6 +198,60 @@ index 924f856..7b26d12 100644
 -/var/run/[^/]*/gvfs/.*	<<none>>
 +/var/run/user/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
 +/var/run/user/[^/]*/gvfs/.*	<<none>>
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 3270372..170e7da 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
+ 
+ ########################################
+ ## <summary>
++##	Dontaudit attempts to set the priority of kernel threads.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_setsched',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	dontaudit $1 kernel_t:process setsched;
++')
++
++########################################
++## <summary>
+ ##	Send a SIGCHLD signal to kernel threads.
+ ## </summary>
+ ## <param name="domain">
+@@ -180,6 +198,24 @@ interface(`kernel_signal',`
+ 
+ ########################################
+ ## <summary>
++##	Send signull to kernel threads.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_signull',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	allow $1 kernel_t:process signull;
++')
++
++########################################
++## <summary>
+ ##	Allows the kernel to share state information with
+ ##	the caller.
+ ## </summary>
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
 index d6519a1..5a9d307 100644
 --- a/policy/modules/services/ssh.te
diff --git a/SOURCES/policy-rhel-7.0.z-contrib.patch b/SOURCES/policy-rhel-7.0.z-contrib.patch
index 2c39572..f61be49 100644
--- a/SOURCES/policy-rhel-7.0.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.0.z-contrib.patch
@@ -626,25 +626,99 @@ index 6c32f79..cb68ca9 100644
 +	openshift_manage_lib_files(gear_t)
 +	openshift_relabelfrom_lib(gear_t)
 +')
+diff --git a/glance.fc b/glance.fc
+index c21a528..a746a2b 100644
+--- a/glance.fc
++++ b/glance.fc
+@@ -1,8 +1,14 @@
+ /etc/rc\.d/init\.d/openstack-glance-api	--	gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/openstack-glance-registry	--	gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/openstack-glance-scrubber	--	gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
+ 
+-/usr/bin/glance-api	--	gen_context(system_u:object_r:glance_api_exec_t,s0)
++/usr/lib/systemd/system/openstack-glance-api.*              --  gen_context(system_u:object_r:glance_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-glance-registry.*         --  gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-glance-scrubber.*         --  gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
++
++/usr/bin/glance-api	        --	gen_context(system_u:object_r:glance_api_exec_t,s0)
+ /usr/bin/glance-registry	--	gen_context(system_u:object_r:glance_registry_exec_t,s0)
++/usr/bin/glance-scrubber    --  gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
+ 
+ /var/lib/glance(/.*)?	gen_context(system_u:object_r:glance_var_lib_t,s0)
+ 
+diff --git a/glance.if b/glance.if
+index 229782f..2f3fa34 100644
+--- a/glance.if
++++ b/glance.if
+@@ -19,10 +19,16 @@ template(`glance_basic_types_template',`
+ 	type $1_t, glance_domain;
+ 	type $1_exec_t;
+ 
++    type $1_unit_file_t;
++    systemd_unit_file($1_unit_file_t)
++
+ 	kernel_read_system_state($1_t)
+ 
+ 	corenet_all_recvfrom_unlabeled($1_t)
+ 	corenet_all_recvfrom_netlabel($1_t)
++
++    logging_send_syslog_msg($1_t)
++
+ ')
+ 
+ ########################################
 diff --git a/glance.te b/glance.te
-index 16dcb5b..2d17fe6 100644
+index 16dcb5b..109dc9b 100644
 --- a/glance.te
 +++ b/glance.te
-@@ -5,6 +5,13 @@ policy_module(glance, 1.0.2)
+@@ -1,10 +1,32 @@
+-policy_module(glance, 1.0.2)
++policy_module(glance, 1.1.0)
+ 
+ ########################################
+ #
  # Declarations
  #
  
 +## <desc>
++##  <p>
++##	Determine whether glance-api can
++##	connect to all TCP ports
++##	</p>
++## </desc>
++gen_tunable(glance_api_can_network, false)
++
++## <desc>
 +## <p>
 +## Allow glance domain to manage fuse files
 +## </p>
 +## </desc>
 +gen_tunable(glance_use_fusefs, false)
 +
++## <desc>
++## <p>
++## Allow glance domain to use executable memory and executable stack
++## </p>
++## </desc>
++gen_tunable(glance_use_execmem, false)
++
  attribute glance_domain;
  
  glance_basic_types_template(glance_registry)
-@@ -77,6 +84,19 @@ libs_exec_ldconfig(glance_domain)
+@@ -25,6 +47,12 @@ init_daemon_domain(glance_api_t, glance_api_exec_t)
+ type glance_api_initrc_exec_t;
+ init_script_file(glance_api_initrc_exec_t)
+ 
++glance_basic_types_template(glance_scrubber)
++init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
++
++type glance_scrubber_initrc_exec_t;
++init_script_file(glance_scrubber_initrc_exec_t)
++
+ type glance_log_t;
+ logging_log_file(glance_log_t)
+ 
+@@ -77,6 +105,21 @@ libs_exec_ldconfig(glance_domain)
  
  sysnet_dns_name_resolve(glance_domain)
  
@@ -655,7 +729,9 @@ index 16dcb5b..2d17fe6 100644
 +	fs_getattr_fusefs(glance_domain)
 +')
 +
-+
++tunable_policy(`glance_use_execmem',`
++    allow glance_domain self:process { execmem execstack };
++')
 +
 +optional_policy(`
 +    mysql_read_db_lnk_files(glance_domain)
@@ -664,7 +740,18 @@ index 16dcb5b..2d17fe6 100644
  ########################################
  #
  # Registry local policy
-@@ -122,6 +142,8 @@ corenet_tcp_connect_mysqld_port(glance_api_t)
+@@ -102,6 +145,10 @@ optional_policy(`
+ 	mysql_tcp_connect(glance_registry_t)
+ ')
+ 
++optional_policy(`
++    unconfined_domain(glance_registry_t)
++')
++
+ ########################################
+ #
+ # Api local policy
+@@ -122,12 +169,24 @@ corenet_tcp_connect_mysqld_port(glance_api_t)
  corenet_tcp_connect_http_port(glance_api_t)
  
  corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
@@ -673,6 +760,22 @@ index 16dcb5b..2d17fe6 100644
  
  corenet_sendrecv_hplip_server_packets(glance_api_t)
  corenet_tcp_bind_hplip_port(glance_api_t)
+ 
+ fs_getattr_xattr_fs(glance_api_t)
+ 
++tunable_policy(`glance_api_can_network',`
++	corenet_sendrecv_all_client_packets(glance_api_t)
++	corenet_tcp_connect_all_ports(glance_api_t)
++	corenet_tcp_sendrecv_all_ports(glance_api_t)
++')
++
+ optional_policy(`
+     mysql_stream_connect(glance_api_t)
+ ')
++
++optional_policy(`
++    unconfined_domain(glance_api_t)
++')
 diff --git a/gnome.te b/gnome.te
 index 5314f96..ea1115c 100644
 --- a/gnome.te
@@ -1163,10 +1266,18 @@ index 49dc5ef..3bcd32c 100644
 +')
  
 diff --git a/passenger.if b/passenger.if
-index 0ec51d4..2d8335f 100644
+index 0ec51d4..0e33327 100644
 --- a/passenger.if
 +++ b/passenger.if
-@@ -159,3 +159,22 @@ interface(`passenger_manage_tmp_files',`
+@@ -16,6 +16,7 @@ interface(`passenger_domtrans',`
+ 	')
+ 
+ 	domtrans_pattern($1, passenger_exec_t, passenger_t)
++	allow passenger_t $1:unix_stream_socket { accept getattr read write };
+ ')
+ 
+ ######################################
+@@ -159,3 +160,22 @@ interface(`passenger_manage_tmp_files',`
  	manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
  	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
  ')
@@ -1574,11 +1685,74 @@ index a375475..0903e67 100644
  ')
  
  ########################################
+diff --git a/quantum.fc b/quantum.fc
+index 32dec67..b985b65 100644
+--- a/quantum.fc
++++ b/quantum.fc
+@@ -4,6 +4,9 @@
+ /usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)
+ /usr/bin/neutron-l3-agent       --  gen_context(system_u:object_r:neutron_exec_t,s0)
+ /usr/bin/neutron-lbaas-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-metadata-agent    --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-netns-cleanup --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ns-metadata-proxy --  gen_context(system_u:object_r:neutron_exec_t,s0)
+ /usr/bin/neutron-rootwrap	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+ /usr/bin/neutron-linuxbridge-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+ /usr/bin/neutron-openvswitch-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+@@ -26,3 +29,6 @@
+ 
+ /var/log/neutron(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
+ /var/log/quantum(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
++
++/var/run/neutron(/.*)?	gen_context(system_u:object_r:neutron_var_run_t,s0)
++/var/run/quantum(/.*)?	gen_context(system_u:object_r:neutron_var_run_t,s0)
+diff --git a/quantum.if b/quantum.if
+index 3105104..97bbea4 100644
+--- a/quantum.if
++++ b/quantum.if
+@@ -171,6 +171,7 @@ interface(`neutron_manage_lib_files',`
+ 
+ 	files_search_var_lib($1)
+ 	manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
++    manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+ ')
+ 
+ ########################################
 diff --git a/quantum.te b/quantum.te
-index 52bad99..156e9af 100644
+index 52bad99..e8c81df 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -29,13 +29,17 @@ systemd_unit_file(neutron_unit_file_t)
+@@ -1,10 +1,18 @@
+-policy_module(quantum, 1.0.3)
++policy_module(quantum, 1.1.0)
+ 
+ ########################################
+ #
+ # Declarations
+ #
+ 
++## <desc>
++##  <p>
++##	Determine whether neutron can
++##	connect to all TCP ports
++##	</p>
++## </desc>
++gen_tunable(neutron_can_network, false)
++
+ type neutron_t alias quantum_t;
+ type neutron_exec_t alias quantum_exec_t;
+ init_daemon_domain(neutron_t, neutron_exec_t)
+@@ -21,6 +29,9 @@ files_tmp_file(neutron_tmp_t)
+ type neutron_var_lib_t alias quantum_var_lib_t;
+ files_type(neutron_var_lib_t)
+ 
++type neutron_var_run_t alias quantum_var_run_t;
++files_pid_file(neutron_var_run_t)
++
+ type neutron_unit_file_t alias quantum_unit_file_t;
+ systemd_unit_file(neutron_unit_file_t)
+ 
+@@ -29,13 +40,17 @@ systemd_unit_file(neutron_unit_file_t)
  # Local policy
  #
  
@@ -1591,20 +1765,25 @@ index 52bad99..156e9af 100644
  allow neutron_t self:fifo_file rw_fifo_file_perms;
  allow neutron_t self:key manage_key_perms;
  allow neutron_t self:tcp_socket { accept listen };
- allow neutron_t self:unix_stream_socket { accept listen };
+-allow neutron_t self:unix_stream_socket { accept listen };
++allow neutron_t self:unix_stream_socket { accept listen connectto };
  allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow neutron_t self:rawip_socket create_socket_perms;
 +allow neutron_t self:packet_socket create_socket_perms;
  
  manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
  append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
-@@ -44,18 +48,21 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+@@ -44,15 +59,22 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
  logging_log_filetrans(neutron_t, neutron_log_t, dir)
  
  manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 -files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
 +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
++
++manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
++files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
  
  manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
  manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
@@ -1614,15 +1793,16 @@ index 52bad99..156e9af 100644
  can_exec(neutron_t, neutron_tmp_t)
  
 -kernel_read_kernel_sysctls(neutron_t)
++kernel_rw_kernel_sysctl(neutron_t)
++kernel_rw_net_sysctls(neutron_t)
  kernel_read_system_state(neutron_t)
  kernel_read_network_state(neutron_t)
  kernel_request_load_module(neutron_t)
-+kernel_rw_kernel_sysctl(neutron_t)
-+kernel_rw_net_sysctls(neutron_t)
+@@ -68,10 +90,13 @@ corenet_tcp_sendrecv_all_ports(neutron_t)
+ corenet_tcp_bind_generic_node(neutron_t)
  
- corecmd_exec_shell(neutron_t)
- corecmd_exec_bin(neutron_t)
-@@ -71,7 +78,9 @@ corenet_tcp_bind_neutron_port(neutron_t)
+ corenet_tcp_bind_neutron_port(neutron_t)
++corenet_tcp_connect_neutron_port(neutron_t)
  corenet_tcp_connect_keystone_port(neutron_t)
  corenet_tcp_connect_amqp_port(neutron_t)
  corenet_tcp_connect_mysqld_port(neutron_t)
@@ -1632,16 +1812,7 @@ index 52bad99..156e9af 100644
  domain_named_filetrans(neutron_t)
  
  dev_read_sysfs(neutron_t)
-@@ -82,6 +91,8 @@ dev_unmount_sysfs_fs(neutron_t)
- 
- files_mounton_non_security(neutron_t)
- 
-+fs_getattr_all_fs(neutron_t)
-+
- auth_use_nsswitch(neutron_t)
- 
- libs_exec_ldconfig(neutron_t)
-@@ -89,6 +100,9 @@ libs_exec_ldconfig(neutron_t)
+@@ -89,10 +114,19 @@ libs_exec_ldconfig(neutron_t)
  logging_send_audit_msgs(neutron_t)
  logging_send_syslog_msg(neutron_t)
  
@@ -1651,7 +1822,31 @@ index 52bad99..156e9af 100644
  sysnet_exec_ifconfig(neutron_t)
  sysnet_manage_ifconfig_run(neutron_t)
  sysnet_filetrans_named_content_ifconfig(neutron_t)
-@@ -109,16 +123,19 @@ optional_policy(`
+ 
++tunable_policy(`neutron_can_network',`
++	corenet_sendrecv_all_client_packets(neutron_t)
++	corenet_tcp_connect_all_ports(neutron_t)
++	corenet_tcp_sendrecv_all_ports(neutron_t)
++')
++
+ optional_policy(`
+ 	brctl_domtrans(neutron_t)
+ ')
+@@ -100,25 +134,32 @@ optional_policy(`
+ optional_policy(`
+     dnsmasq_domtrans(neutron_t)
+     dnsmasq_signal(neutron_t)
+-    dnsmasq_kill(neutron_t)
+     dnsmasq_read_state(neutron_t)
+ ')
+ 
+ optional_policy(`
++    rhcs_domtrans_haproxy(neutron_t)
++    rhcs_stream_connect_haproxy(neutron_t)
++')
++
++optional_policy(`
+     iptables_domtrans(neutron_t)
  ')
  
  optional_policy(`
@@ -1673,7 +1868,7 @@ index 52bad99..156e9af 100644
  	postgresql_tcp_connect(neutron_t)
  ')
  
-@@ -129,4 +146,8 @@ optional_policy(`
+@@ -129,4 +170,8 @@ optional_policy(`
  
  optional_policy(`
  	sudo_exec(neutron_t)
@@ -1703,6 +1898,77 @@ index 7d5630f..9fb98a1 100644
  
  manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
  
+diff --git a/raid.te b/raid.te
+index aa0ff54..9e28c38 100644
+--- a/raid.te
++++ b/raid.te
+@@ -69,6 +69,9 @@ kernel_read_kernel_sysctls(mdadm_t)
+ kernel_request_load_module(mdadm_t)
+ kernel_rw_software_raid_state(mdadm_t)
+ kernel_setsched(mdadm_t)
++kernel_dontaudit_setsched(mdadm_t)
++kernel_signal(mdadm_t)
++kernel_stream_connect(mdadm_t)
+ 
+ corecmd_exec_bin(mdadm_t)
+ corecmd_exec_shell(mdadm_t)
+diff --git a/rhcs.if b/rhcs.if
+index 1337d42..e6bcb25 100644
+--- a/rhcs.if
++++ b/rhcs.if
+@@ -97,6 +97,26 @@ interface(`rhcs_stream_connect_dlm_controld',`
+ 
+ #####################################
+ ## <summary>
++##	Connect to haproxy over a unix domain
++##	stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rhcs_stream_connect_haproxy',`
++	gen_require(`
++		type haproxy_t, haproxy_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
++')
++
++#####################################
++## <summary>
+ ##	Allow read and write access to dlm_controld semaphores.
+ ## </summary>
+ ## <param name="domain">
+@@ -212,6 +232,25 @@ interface(`rhcs_stream_connect_fenced',`
+ 	stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
+ ')
+ 
++######################################
++## <summary>
++##	Execute a domain transition to run fenced.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`rhcs_domtrans_haproxy',`
++	gen_require(`
++		type haproxy_t, haproxy_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, haproxy_exec_t, haproxy_t)
++')
++
+ #####################################
+ ## <summary>
+ ##	Execute a domain transition to run gfs_controld.
 diff --git a/rhcs.te b/rhcs.te
 index 4fd3b77..503838b 100644
 --- a/rhcs.te
@@ -2000,10 +2266,15 @@ index e472397..6aeecac 100644
  auth_use_nsswitch(stapserver_t)
  
 diff --git a/swift.fc b/swift.fc
-index 744f0ce..b07d112 100644
+index 744f0ce..7e59e7e 100644
 --- a/swift.fc
 +++ b/swift.fc
-@@ -15,8 +15,11 @@
+@@ -11,12 +11,16 @@
+ 
+ /usr/bin/swift-object-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
+ /usr/bin/swift-object-info		--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-object-expirer   --  gen_context(system_u:object_r:swift_exec_t,s0)
+ /usr/bin/swift-object-replicator		--	gen_context(system_u:object_r:swift_exec_t,s0)
  /usr/bin/swift-object-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
  /usr/bin/swift-object-updater		--	gen_context(system_u:object_r:swift_exec_t,s0)
  
@@ -2064,10 +2335,23 @@ index df82c36..6a1f575 100644
  ## <summary>
  ##	Execute swift server in the swift domain.
 diff --git a/swift.te b/swift.te
-index 7bef550..7fce837 100644
+index 7bef550..43a0495 100644
 --- a/swift.te
 +++ b/swift.te
-@@ -9,8 +9,14 @@ type swift_t;
+@@ -5,12 +5,27 @@ policy_module(swift, 1.0.0)
+ # Declarations
+ #
+ 
++## <desc>
++##  <p>
++##	Determine whether swift can
++##	connect to all TCP ports
++##	</p>
++## </desc>
++gen_tunable(swift_can_network, false)
++
++
+ type swift_t;
  type swift_exec_t;
  init_daemon_domain(swift_t, swift_exec_t)
  
@@ -2083,7 +2367,7 @@ index 7bef550..7fce837 100644
  
  type swift_var_cache_t;
  files_type(swift_var_cache_t)
-@@ -36,10 +42,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms;
+@@ -36,10 +51,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms;
  allow swift_t self:unix_stream_socket create_stream_socket_perms;
  allow swift_t self:unix_dgram_socket create_socket_perms;
  
@@ -2102,20 +2386,27 @@ index 7bef550..7fce837 100644
  manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
  manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
  manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
-@@ -59,7 +73,12 @@ kernel_dgram_send(swift_t)
+@@ -59,7 +82,19 @@ kernel_dgram_send(swift_t)
  kernel_read_system_state(swift_t)
  kernel_read_network_state(swift_t)
  
 +# bug in swift
 +corenet_tcp_bind_xserver_port(swift_t)
++
++corenet_tcp_bind_swift_port(swift_t)
 +corenet_tcp_bind_http_cache_port(swift_t)
 +
++corenet_tcp_connect_xserver_port(swift_t)
++corenet_tcp_connect_swift_port(swift_t)
++corenet_tcp_connect_keystone_port(swift_t)
++corenet_tcp_connect_memcache_port(swift_t)
++
  corecmd_exec_shell(swift_t)
 +corecmd_exec_bin(swift_t)
  
  dev_read_urand(swift_t)
  
-@@ -67,6 +86,8 @@ domain_use_interactive_fds(swift_t)
+@@ -67,6 +102,8 @@ domain_use_interactive_fds(swift_t)
  
  files_dontaudit_search_home(swift_t)
  
@@ -2124,8 +2415,20 @@ index 7bef550..7fce837 100644
  auth_use_nsswitch(swift_t)
  
  libs_exec_ldconfig(swift_t)
-@@ -77,4 +98,5 @@ userdom_dontaudit_search_user_home_dirs(swift_t)
+@@ -75,6 +112,17 @@ logging_send_syslog_msg(swift_t)
  
+ userdom_dontaudit_search_user_home_dirs(swift_t)
+ 
++tunable_policy(`swift_can_network',`
++	corenet_sendrecv_all_client_packets(swift_t)
++	corenet_tcp_connect_all_ports(swift_t)
++	corenet_tcp_sendrecv_all_ports(swift_t)
++')
++
++optional_policy(`
++    apache_search_config(swift_t)
++')
++
  optional_policy(`
      rpm_exec(swift_t)
 +    rpm_dontaudit_manage_db(swift_t)
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index f478c9f..c8452a0 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 153%{?dist}.10
+Release: 153%{?dist}.11
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -583,6 +583,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Aug 22 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.11
+- Back port OpenStack fixes
+- Allow mdadm to connect to own socket created by mdadm running as kernel_t
+Resolves:#1132828
+
 * Tue Jun 3 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.10
 - Allow swift to execute bin_t
 - Allow swift to bind http_cache