diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
index f93bd1b..1784416 100644
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@@ -25,13 +25,6 @@ afs = module
 # Policy for aide
 # 
 aide = module
-
-# Layer: services
-# Module: aisexec
-#
-# RHCS - Red Hat Cluster Suite
-#
-aisexec = module
  
 # Layer: admin
 # Module: alsa
@@ -286,13 +279,6 @@ comsat = module
 #consolekit = module
 
 # Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine Executive
-# 
-corosync = module
-
-# Layer: services
 # Module: courier
 #
 # IMAP and POP3 email servers
@@ -1154,13 +1140,6 @@ readahead = module
 remotelogin = module
 
 # Layer: services
-# Module: rgmanager
-#
-# Red Hat Resource Group Manager
-#
-rgmanager = module
-
-# Layer: services
 # Module: rhcs
 #
 # RHCS - Red Hat Cluster Suite
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 3892c69..e88980a 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -39,13 +39,6 @@ aiccu = module
 # Policy for aide
 # 
 aide = module
-
-# Layer: services
-# Module: aisexec
-#
-# RHCS - Red Hat Cluster Suite
-#
-aisexec = module
  
 # Layer: services
 # Module: ajaxterm
@@ -385,13 +378,6 @@ condor = module
 consolekit = module
 
 # Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine Executive
-# 
-corosync = module
-
-# Layer: services
 # Module: couchdb
 #
 # Apache CouchDB database server
@@ -1279,13 +1265,6 @@ openvpn = module
 #
 openvswitch = module
 
-# Layer: services
-# Module: pacemaker
-#
-# pacemaker
-#
-pacemaker = module
-
 prelude = module
 
 # Layer: services
@@ -1559,20 +1538,6 @@ realmd = module
 remotelogin = module
 
 # Layer: services
-# Module: rgmanager
-#
-# Red Hat Resource Group Manager
-#
-rgmanager = module
-
-# Layer: services
-# Module: rgmanager
-#
-# rgmanager
-# 
-rgmanager = module
-
-# Layer: services
 # Module: rhcs
 #
 # RHCS - Red Hat Cluster Suite
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e134722..4a010e7 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1035,7 +1035,7 @@ index 7a6f06f..bf04b0a 100644
 -/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/var/lib/os-prober(/.*)?	gen_context(system_u:object_r:bootloader_var_lib_t,s0)
 diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index cc8df9d..5e914db 100644
+index cc8df9d..34c2a4e 100644
 --- a/policy/modules/admin/bootloader.if
 +++ b/policy/modules/admin/bootloader.if
 @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
@@ -1063,7 +1063,7 @@ index cc8df9d..5e914db 100644
  ########################################
  ## <summary>
  ##	Execute bootloader interactively and do
-@@ -38,30 +56,21 @@ interface(`bootloader_domtrans',`
+@@ -38,16 +56,26 @@ interface(`bootloader_domtrans',`
  #
  interface(`bootloader_run',`
  	gen_require(`
@@ -1077,34 +1077,84 @@ index cc8df9d..5e914db 100644
 +
  	bootloader_domtrans($1)
 -	roleattribute $2 bootloader_roles;
--')
++
++        role $2 types bootloader_t;
++
++        ifdef(`distro_redhat',`
++                # for mke2fs
++		mount_run(bootloader_t, $2)
++	')
+ ')
  
--########################################
--## <summary>
+ ########################################
+ ## <summary>
 -##	Execute bootloader in the caller domain.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Read the bootloader configuration file.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -55,36 +83,37 @@ interface(`bootloader_run',`
+ ##	</summary>
+ ## </param>
+ #
 -interface(`bootloader_exec',`
--	gen_require(`
++interface(`bootloader_read_config',`
+ 	gen_require(`
 -		type bootloader_exec_t;
--	')
-+        role $2 types bootloader_t;
++		type bootloader_etc_t;
+ 	')
  
 -	corecmd_search_bin($1)
 -	can_exec($1, bootloader_exec_t)
-+        ifdef(`distro_redhat',`
-+                # for mke2fs
-+		mount_run(bootloader_t, $2)
-+	')
++	allow $1 bootloader_etc_t:file read_file_perms;
  ')
  
  ########################################
-@@ -119,7 +128,7 @@ interface(`bootloader_rw_tmp_files',`
+ ## <summary>
+-##	Read the bootloader configuration file.
++##	Read and write the bootloader
++##	configuration file.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`bootloader_read_config',`
++interface(`bootloader_rw_config',`
+ 	gen_require(`
+ 		type bootloader_etc_t;
+ 	')
+ 
+-	allow $1 bootloader_etc_t:file read_file_perms;
++	allow $1 bootloader_etc_t:file rw_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write the bootloader
++##	Manage the bootloader
+ ##	configuration file.
+ ## </summary>
+ ## <param name="domain">
+@@ -94,12 +123,12 @@ interface(`bootloader_read_config',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`bootloader_rw_config',`
++interface(`bootloader_manage_config',`
+ 	gen_require(`
+ 		type bootloader_etc_t;
+ 	')
+ 
+-	allow $1 bootloader_etc_t:file rw_file_perms;
++	manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t)
+ ')
+ 
+ ########################################
+@@ -119,7 +148,7 @@ interface(`bootloader_rw_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -1113,7 +1163,7 @@ index cc8df9d..5e914db 100644
  ')
  
  ########################################
-@@ -141,3 +150,22 @@ interface(`bootloader_create_runtime_file',`
+@@ -141,3 +170,24 @@ interface(`bootloader_create_runtime_file',`
  	allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
  	files_boot_filetrans($1, boot_runtime_t, file)
  ')
@@ -1133,8 +1183,10 @@ index cc8df9d..5e914db 100644
 +		type bootloader_etc_t;
 +	')
 +
++	files_etc_filetrans($1,bootloader_etc_t,file, "grub")
 +	files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
 +	files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
++	files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
 +')
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
 index e3dbbb8..f766e86 100644
@@ -2965,7 +3017,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..5be2ae6 100644
+index 644d4d7..330ed39 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3023,7 +3075,17 @@ index 644d4d7..5be2ae6 100644
  /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +143,11 @@ ifdef(`distro_debian',`
+@@ -116,6 +125,9 @@ ifdef(`distro_redhat',`
+ 
+ /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
++
++/etc/wdmd\.d/checkquorum\.wdmd	gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
+@@ -134,10 +146,11 @@ ifdef(`distro_debian',`
  
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3036,7 +3098,7 @@ index 644d4d7..5be2ae6 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +161,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +164,7 @@ ifdef(`distro_gentoo',`
  #
  # /sbin
  #
@@ -3045,7 +3107,7 @@ index 644d4d7..5be2ae6 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +177,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +180,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -3053,7 +3115,7 @@ index 644d4d7..5be2ae6 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -178,33 +189,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +192,49 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3112,7 +3174,7 @@ index 644d4d7..5be2ae6 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +242,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +245,28 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3148,7 +3210,7 @@ index 644d4d7..5be2ae6 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +278,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +281,15 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3164,7 +3226,7 @@ index 644d4d7..5be2ae6 100644
  /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +299,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +302,17 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -3185,7 +3247,7 @@ index 644d4d7..5be2ae6 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +325,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +328,15 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -3201,7 +3263,7 @@ index 644d4d7..5be2ae6 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +348,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +351,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -3226,7 +3288,7 @@ index 644d4d7..5be2ae6 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +381,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +384,27 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3255,7 +3317,7 @@ index 644d4d7..5be2ae6 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +450,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +453,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -3272,7 +3334,7 @@ index 644d4d7..5be2ae6 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +468,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +471,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -10806,10 +10868,10 @@ index 148d87a..822f6be 100644
  	allow files_unconfined_type file_type:file execmod;
  ')
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..91a633a 100644
+index cda5588..3035829 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -1,3 +1,7 @@
+@@ -1,9 +1,13 @@
 +# ecryptfs does not support xattr
 +HOME_DIR/\.ecryptfs(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
 +HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -10817,6 +10879,13 @@ index cda5588..91a633a 100644
  /cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
  /cgroup/.*			<<none>>
  
+ /dev/hugepages		-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
+ /dev/hugepages(/.*)?		<<none>>
+-/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
++/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
+ /dev/shm/.*			<<none>>
+ 
+ /lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 @@ -14,3 +18,10 @@
  # for systemd systems:
  /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
@@ -12112,7 +12181,7 @@ index 8416beb..60b2ce1 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..6a95769 100644
+index 9e603f5..3c5f139 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -12181,15 +12250,16 @@ index 9e603f5..6a95769 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +181,7 @@ fs_type(tmpfs_t)
+@@ -176,6 +181,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
 +dev_associate(tmpfs_t)
++mls_trusted_object(tmpfs_t)
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +261,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +262,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -12198,7 +12268,7 @@ index 9e603f5..6a95769 100644
  files_mountpoint(removable_t)
  
  #
-@@ -274,6 +282,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +283,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -26439,7 +26509,7 @@ index 5dfa44b..aa4d8fc 100644
  
  optional_policy(`
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..e96fdf3 100644
+index 73bb3c0..dbd708d 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -1,3 +1,4 @@
@@ -26599,7 +26669,7 @@ index 73bb3c0..e96fdf3 100644
  
  /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -299,17 +309,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +309,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -26612,6 +26682,9 @@ index 73bb3c0..e96fdf3 100644
  
  /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
  
++/var/named/chroot/lib(/.*)?         gen_context(system_u:object_r:lib_t,s0)
++/var/named/chroot/usr/lib(/.*)?     gen_context(system_u:object_r:lib_t,s0)
++
 +/usr/lib/pgsql/.*\.so.*			--	gen_context(system_u:object_r:lib_t,s0)
 +/usr/lib/pgsql/test/regress/.*\.so.*	--	gen_context(system_u:object_r:lib_t,s0)
 +/var/lib/spamassassin/compiled/.*\.so.* --	gen_context(system_u:object_r:lib_t,s0)
@@ -28610,7 +28683,7 @@ index e8c59a5..ea56d23 100644
  ')
  
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..d5fe55a 100644
+index 9fe8e01..06fa481 100644
 --- a/policy/modules/system/miscfiles.fc
 +++ b/policy/modules/system/miscfiles.fc
 @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -28641,17 +28714,23 @@ index 9fe8e01..d5fe55a 100644
  /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
  
  /usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
-@@ -77,8 +74,9 @@ ifdef(`distro_redhat',`
+@@ -77,7 +74,7 @@ ifdef(`distro_redhat',`
  
  /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 -/var/cache/man(/.*)?		gen_context(system_u:object_r:man_cache_t,s0)
- 
 +
-+/var/named/chroot/etc/localtime	--	gen_context(system_u:object_r:cert_t,s0)
+ 
  /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
  
- /var/spool/abrt-upload(/.*)?	gen_context(system_u:object_r:public_content_rw_t,s0)
+@@ -90,6 +87,7 @@ ifdef(`distro_debian',`
+ ')
+ 
+ ifdef(`distro_redhat',`
++/var/named/chroot/etc/localtime	--	gen_context(system_u:object_r:locale_t,s0)
+ /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ ')
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
 index fc28bc3..2f33076 100644
 --- a/policy/modules/system/miscfiles.if
@@ -35242,7 +35321,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..6c2548e 100644
+index 3c5dba7..ba7a400 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -36038,7 +36117,12 @@ index 3c5dba7..6c2548e 100644
  	')
  
  	optional_policy(`
-@@ -646,19 +814,16 @@ template(`userdom_common_user_template',`
+@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
+ 	optional_policy(`
+ 		mpd_manage_user_data_content($1_t)
+ 		mpd_relabel_user_data_content($1_t)
++		mpd_stream_connect($1_t)
+ 	')
  
  	# for running depmod as part of the kernel packaging process
  	optional_policy(`
@@ -36062,7 +36146,7 @@ index 3c5dba7..6c2548e 100644
  			mysql_stream_connect($1_t)
  		')
  	')
-@@ -671,7 +836,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -36071,7 +36155,7 @@ index 3c5dba7..6c2548e 100644
  	')
  
  	optional_policy(`
-@@ -680,9 +845,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -36084,7 +36168,7 @@ index 3c5dba7..6c2548e 100644
  		')
  	')
  
-@@ -693,32 +858,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +859,36 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -36132,7 +36216,7 @@ index 3c5dba7..6c2548e 100644
  	')
  ')
  
-@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +913,33 @@ template(`userdom_common_user_template',`
  template(`userdom_login_user_template', `
  	gen_require(`
  		class context contains;
@@ -36170,7 +36254,7 @@ index 3c5dba7..6c2548e 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +947,99 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -36306,7 +36390,7 @@ index 3c5dba7..6c2548e 100644
  	')
  ')
  
-@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -36319,7 +36403,7 @@ index 3c5dba7..6c2548e 100644
  	##############################
  	#
  	# Local policy
-@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',`
  	# Local policy
  	#
  
@@ -36430,7 +36514,7 @@ index 3c5dba7..6c2548e 100644
  		')
  
  		optional_policy(`
-@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
@@ -36461,7 +36545,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  #######################################
-@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -36499,7 +36583,7 @@ index 3c5dba7..6c2548e 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1021,23 +1308,59 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1309,59 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -36569,7 +36653,7 @@ index 3c5dba7..6c2548e 100644
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1046,7 +1369,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -36580,7 +36664,7 @@ index 3c5dba7..6c2548e 100644
  	')
  ')
  
-@@ -1082,7 +1407,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -36589,7 +36673,7 @@ index 3c5dba7..6c2548e 100644
  	')
  
  	##############################
-@@ -1109,6 +1434,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -36597,7 +36681,7 @@ index 3c5dba7..6c2548e 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1117,6 +1443,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -36607,7 +36691,7 @@ index 3c5dba7..6c2548e 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1460,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -36615,7 +36699,7 @@ index 3c5dba7..6c2548e 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1148,10 +1478,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -36630,7 +36714,7 @@ index 3c5dba7..6c2548e 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1162,29 +1496,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -36673,7 +36757,7 @@ index 3c5dba7..6c2548e 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1537,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -36682,7 +36766,7 @@ index 3c5dba7..6c2548e 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1546,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -36701,7 +36785,7 @@ index 3c5dba7..6c2548e 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1253,6 +1602,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -36710,7 +36794,7 @@ index 3c5dba7..6c2548e 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1265,8 +1616,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -36722,7 +36806,7 @@ index 3c5dba7..6c2548e 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1277,29 +1630,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -36765,7 +36849,7 @@ index 3c5dba7..6c2548e 100644
  	')
  
  	optional_policy(`
-@@ -1360,14 +1715,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -36784,7 +36868,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -1408,6 +1766,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
  ## <summary>
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
@@ -36836,7 +36920,7 @@ index 3c5dba7..6c2548e 100644
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -1512,11 +1915,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36868,7 +36952,7 @@ index 3c5dba7..6c2548e 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1558,6 +1981,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -36883,7 +36967,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -1573,9 +2004,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -36895,7 +36979,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -1632,6 +2065,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -36938,7 +37022,7 @@ index 3c5dba7..6c2548e 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1711,6 +2180,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36947,7 +37031,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -1744,10 +2215,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -36962,7 +37046,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -1772,7 +2245,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -36971,7 +37055,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1780,19 +2253,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -36995,7 +37079,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1800,31 +2271,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -37035,7 +37119,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -1848,6 +2319,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -37061,7 +37145,7 @@ index 3c5dba7..6c2548e 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1878,14 +2368,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -37099,7 +37183,7 @@ index 3c5dba7..6c2548e 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1896,11 +2408,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -37117,7 +37201,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -1941,7 +2456,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -37144,7 +37228,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1951,17 +2484,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  #
  interface(`userdom_delete_all_user_home_content_files',`
  	gen_require(`
@@ -37165,7 +37249,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1969,12 +2500,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -37216,7 +37300,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -2010,8 +2577,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -37226,7 +37310,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -2027,20 +2593,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -37251,7 +37335,7 @@ index 3c5dba7..6c2548e 100644
  
  ########################################
  ## <summary>
-@@ -2123,7 +2683,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -37260,7 +37344,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2131,19 +2691,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -37284,7 +37368,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2151,12 +2709,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -37300,7 +37384,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -2393,11 +2951,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -37315,7 +37399,7 @@ index 3c5dba7..6c2548e 100644
  	files_search_tmp($1)
  ')
  
-@@ -2417,7 +2975,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -37324,7 +37408,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -2664,6 +3222,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -37350,7 +37434,7 @@ index 3c5dba7..6c2548e 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2680,13 +3257,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -37366,7 +37450,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2707,7 +3285,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -37375,7 +37459,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2715,19 +3293,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -37398,7 +37482,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2735,25 +3311,43 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -37448,7 +37532,7 @@ index 3c5dba7..6c2548e 100644
  	gen_require(`
  		type user_tty_device_t;
  	')
-@@ -2817,6 +3411,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -37473,7 +37557,7 @@ index 3c5dba7..6c2548e 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2835,22 +3447,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -37516,7 +37600,7 @@ index 3c5dba7..6c2548e 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2859,14 +3483,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -37554,7 +37638,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -2885,8 +3528,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -37584,7 +37668,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -2958,69 +3620,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -37685,7 +37769,7 @@ index 3c5dba7..6c2548e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3028,12 +3689,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -37700,7 +37784,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -3097,7 +3758,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -37709,7 +37793,7 @@ index 3c5dba7..6c2548e 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3113,29 +3774,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -37743,7 +37827,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -3217,7 +3862,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3863,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -37752,7 +37836,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -3272,7 +3917,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3918,64 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -37818,7 +37902,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -3290,7 +3992,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3993,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
  		type user_tty_device_t;
  	')
  
@@ -37827,7 +37911,7 @@ index 3c5dba7..6c2548e 100644
  ')
  
  ########################################
-@@ -3309,6 +4011,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4012,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -37835,7 +37919,7 @@ index 3c5dba7..6c2548e 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3385,6 +4088,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4089,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -37878,7 +37962,7 @@ index 3c5dba7..6c2548e 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4144,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4145,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -37903,7 +37987,7 @@ index 3c5dba7..6c2548e 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3439,3 +4196,1355 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4197,1355 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0c2bc63..867dc4d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9389,7 +9389,7 @@ index 5ded72d..f6b854c 100644
  	domain_system_change_exemption($1)
  	role_transition $2 ccs_initrc_exec_t system_r;
 diff --git a/ccs.te b/ccs.te
-index b85b53b..a37eebd 100644
+index b85b53b..476aaa3 100644
 --- a/ccs.te
 +++ b/ccs.te
 @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
@@ -9426,6 +9426,16 @@ index b85b53b..a37eebd 100644
  sysnet_dns_name_resolve(ccs_t)
  
  userdom_manage_unpriv_user_shared_mem(ccs_t)
+@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
+ ')
+ 
+ optional_policy(`
+-	aisexec_stream_connect(ccs_t)
+-	corosync_stream_connect(ccs_t)
++	rhcs_stream_connect_cluster(ccs_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/cdrecord.te b/cdrecord.te
 index 55fb26a..a7555c0 100644
 --- a/cdrecord.te
@@ -10985,18 +10995,20 @@ index b59c592..4b8cddc 100644
  optional_policy(`
  	daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
 diff --git a/clogd.te b/clogd.te
-index 29782b8..c614d47 100644
+index 29782b8..685edff 100644
 --- a/clogd.te
 +++ b/clogd.te
-@@ -41,8 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
+@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
  
  logging_send_syslog_msg(clogd_t)
  
 -miscfiles_read_localization(clogd_t)
 -
  optional_policy(`
- 	aisexec_stream_connect(clogd_t)
- 	corosync_stream_connect(clogd_t)
+-	aisexec_stream_connect(clogd_t)
+-	corosync_stream_connect(clogd_t)
++	rhcs_stream_connect_cluster(clogd_t)
+ ')
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
 index 0000000..8a40857
@@ -11584,7 +11596,7 @@ index 954309e..f4db2ca 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..4704562 100644
+index 6471fa8..45f1622 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,6 +26,9 @@ files_type(collectd_var_lib_t)
@@ -11597,7 +11609,18 @@ index 6471fa8..4704562 100644
  apache_content_template(collectd)
  
  ########################################
-@@ -57,13 +60,9 @@ dev_read_sysfs(collectd_t)
+@@ -48,21 +51,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+ 
+ domain_use_interactive_fds(collectd_t)
+ 
+-kernel_read_network_state(collectd_t)
+-kernel_read_net_sysctls(collectd_t)
+-kernel_read_system_state(collectd_t)
++kernel_read_all_sysctls(collectd_t)
++kernel_read_all_proc(collectd_t)
+ 
+ dev_read_rand(collectd_t)
+ dev_read_sysfs(collectd_t)
  dev_read_urand(collectd_t)
  
  files_getattr_all_dirs(collectd_t)
@@ -11607,13 +11630,16 @@ index 6471fa8..4704562 100644
  fs_getattr_all_fs(collectd_t)
  
 -miscfiles_read_localization(collectd_t)
--
++init_read_utmp(collectd_t)
+ 
  logging_send_syslog_msg(collectd_t)
  
- sysnet_dns_name_resolve(collectd_t)
-@@ -88,3 +87,4 @@ optional_policy(`
+@@ -87,4 +87,7 @@ optional_policy(`
+ 	read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
  	list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
  	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++	
++	auth_read_passwd(httpd_collectd_script_t)
  ')
 +
 diff --git a/colord.fc b/colord.fc
@@ -20586,7 +20612,7 @@ index dbcac59..66d42bb 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..9697f9d 100644
+index a7bfaf0..d16e5e8 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -1,4 +1,4 @@
@@ -20779,14 +20805,14 @@ index a7bfaf0..9697f9d 100644
  
 -userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
 -userdom_use_user_terminals(dovecot_t)
--
++logging_send_syslog_msg(dovecot_t)
+ 
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(dovecot_t)
 -	fs_manage_nfs_files(dovecot_t)
 -	fs_manage_nfs_symlinks(dovecot_t)
 -')
-+logging_send_syslog_msg(dovecot_t)
- 
+-
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(dovecot_t)
 -	fs_manage_cifs_files(dovecot_t)
@@ -20836,7 +20862,7 @@ index a7bfaf0..9697f9d 100644
  	sendmail_domtrans(dovecot_t)
  ')
  
-@@ -221,46 +213,57 @@ optional_policy(`
+@@ -221,46 +213,59 @@ optional_policy(`
  
  ########################################
  #
@@ -20856,6 +20882,8 @@ index a7bfaf0..9697f9d 100644
 +read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
 +read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
 +
++manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
++
  manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -20904,7 +20932,7 @@ index a7bfaf0..9697f9d 100644
  	mysql_stream_connect(dovecot_auth_t)
  	mysql_read_config(dovecot_auth_t)
  	mysql_tcp_connect(dovecot_auth_t)
-@@ -272,14 +275,21 @@ optional_policy(`
+@@ -272,14 +277,21 @@ optional_policy(`
  
  optional_policy(`
  	postfix_manage_private_sockets(dovecot_auth_t)
@@ -20927,7 +20955,7 @@ index a7bfaf0..9697f9d 100644
  allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
  
  append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +299,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +301,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
  files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
  
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -20986,7 +21014,7 @@ index a7bfaf0..9697f9d 100644
  	mta_read_queue(dovecot_deliver_t)
  ')
  
-@@ -326,5 +342,6 @@ optional_policy(`
+@@ -326,5 +344,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22131,16 +22159,33 @@ index 0872e50..d49f5ad 100644
  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
  userdom_use_user_terminals(fail2ban_client_t)
 diff --git a/fcoe.te b/fcoe.te
-index 79b9273..dc7e983 100644
+index 79b9273..76b7ed5 100644
 --- a/fcoe.te
 +++ b/fcoe.te
-@@ -31,7 +31,6 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
+ # Local policy
+ #
+ 
+-allow fcoemon_t self:capability { dac_override kill net_admin };
++allow fcoemon_t self:capability { net_admin net_raw dac_override };
+ allow fcoemon_t self:fifo_file rw_fifo_file_perms;
+ allow fcoemon_t self:unix_stream_socket { accept listen };
+ allow fcoemon_t self:netlink_socket create_socket_perms;
+ allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
++allow fcoemon_t self:packet_socket create_socket_perms;
++allow fcoemon_t self:udp_socket create_socket_perms;
+ 
+ manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
  manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
  files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
  
 -files_read_etc_files(fcoemon_t)
+-
+-dev_read_sysfs(fcoemon_t)
++dev_rw_sysfs(fcoemon_t)
  
- dev_read_sysfs(fcoemon_t)
+ logging_send_syslog_msg(fcoemon_t)
  
 diff --git a/fetchmail.fc b/fetchmail.fc
 index 2486e2a..ea07c4f 100644
@@ -29820,7 +29865,7 @@ index 182ab8b..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..fb73b38 100644
+index e7f5c81..8ff6f51 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
 @@ -1,4 +1,4 @@
@@ -29829,7 +29874,7 @@ index e7f5c81..fb73b38 100644
  
  ########################################
  #
-@@ -7,61 +7,65 @@ policy_module(kdumpgui, 1.1.4)
+@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4)
  
  type kdumpgui_t;
  type kdumpgui_exec_t;
@@ -29900,19 +29945,20 @@ index e7f5c81..fb73b38 100644
  
  init_dontaudit_read_all_script_files(kdumpgui_t)
 +init_access_check(kdumpgui_t)
-+
+ 
+-optional_policy(`
+-	bootloader_exec(kdumpgui_t)
+-	bootloader_rw_config(kdumpgui_t)
+-')
 +userdom_dontaudit_search_admin_dir(kdumpgui_t)
  
  optional_policy(`
- 	bootloader_exec(kdumpgui_t)
-@@ -69,15 +73,7 @@ optional_policy(`
+-	consoletype_exec(kdumpgui_t)
++	bootloader_exec(kdumpgui_t)
++	bootloader_manage_config(kdumpgui_t)
  ')
  
  optional_policy(`
--	consoletype_exec(kdumpgui_t)
--')
--
--optional_policy(`
  	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
 -
 -	optional_policy(`
@@ -34764,10 +34810,10 @@ index 89409eb..64ac6f0 100644
  /var/spool/postfix/spamass(/.*)?	gen_context(system_u:object_r:spamass_milter_data_t,s0)
 +/var/spool/opendkim(/.*)?       gen_context(system_u:object_r:dkim_milter_data_t,s0)
 diff --git a/milter.if b/milter.if
-index cba62db..bdf319a 100644
+index cba62db..562833a 100644
 --- a/milter.if
 +++ b/milter.if
-@@ -1,47 +1,59 @@
+@@ -1,47 +1,43 @@
 -## <summary>Milter mail filters.</summary>
 +## <summary>Milter mail filters</summary>
  
@@ -34811,29 +34857,13 @@ index cba62db..bdf319a 100644
 -	# Policy
 -	#
 +	# Allow communication with MTA over a unix-domain socket
-+	# Note: usage with TCP sockets requires additional policy
++	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
  
--	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
-+	allow $1_milter_t self:fifo_file rw_fifo_file_perms;
-+
-+	# Allow communication with MTA over a TCP socket
-+	allow $1_milter_t self:tcp_socket create_stream_socket_perms;
-+
-+	# Allow communication with MTA over a unix-domain socket
- 	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
++	# Create other data files and directories in the data directory
+ 	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+-	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
  
 -	auth_use_nsswitch($1_milter_t)
-+	# Create other data files and directories in the data directory
-+	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
-+
-+	kernel_dontaudit_read_system_state($1_milter_t)
-+
-+	corenet_tcp_bind_generic_node($1_milter_t)
-+	corenet_tcp_bind_milter_port($1_milter_t)
-+
-+	files_read_etc_files($1_milter_t)
-+
-+
 +	logging_send_syslog_msg($1_milter_t)
  ')
  
@@ -34845,7 +34875,7 @@ index cba62db..bdf319a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -55,12 +67,13 @@ interface(`milter_stream_connect_all',`
+@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',`
  	')
  
  	files_search_pids($1)
@@ -34860,7 +34890,7 @@ index cba62db..bdf319a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -73,13 +86,31 @@ interface(`milter_getattr_all_sockets',`
+@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',`
  		attribute milter_data_type;
  	')
  
@@ -34894,7 +34924,7 @@ index cba62db..bdf319a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -97,3 +128,22 @@ interface(`milter_manage_spamass_state',`
+@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',`
  	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
  	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
  ')
@@ -34918,10 +34948,10 @@ index cba62db..bdf319a 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 92508b2..38c718c 100644
+index 92508b2..db83591 100644
 --- a/milter.te
 +++ b/milter.te
-@@ -1,77 +1,96 @@
+@@ -1,77 +1,110 @@
 -policy_module(milter, 1.4.2)
 +policy_module(milter, 1.4.0)
  
@@ -34952,38 +34982,59 @@ index 92508b2..38c718c 100644
  type spamass_milter_state_t;
  files_type(spamass_milter_state_t)
  
++
  #######################################
  #
 -# Common local policy
-+# dkim-milter local policy
++# milter domains local policy
  #
  
--allow milter_domains self:fifo_file rw_fifo_file_perms;
++# Allow communication with MTA over a unix-domain socket
++# Note: usage with TCP sockets requires additional policy
++
+ allow milter_domains self:fifo_file rw_fifo_file_perms;
 -allow milter_domains self:tcp_socket { accept listen };
-+allow dkim_milter_t self:capability { kill setgid setuid };
-+allow dkim_milter_t self:process signal;
-+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
-+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
++
++# Allow communication with MTA over a TCP socket
++allow milter_domains self:tcp_socket create_stream_socket_perms;
  
--kernel_dontaudit_read_system_state(milter_domains)
-+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+ kernel_dontaudit_read_system_state(milter_domains)
  
 -corenet_all_recvfrom_unlabeled(milter_domains)
 -corenet_all_recvfrom_netlabel(milter_domains)
 -corenet_tcp_sendrecv_generic_if(milter_domains)
 -corenet_tcp_sendrecv_generic_node(milter_domains)
--corenet_tcp_bind_generic_node(milter_domains)
-+kernel_read_kernel_sysctls(dkim_milter_t)
- 
--corenet_tcp_bind_milter_port(milter_domains)
+ corenet_tcp_bind_generic_node(milter_domains)
+-
+ corenet_tcp_bind_milter_port(milter_domains)
 -corenet_tcp_sendrecv_all_ports(milter_domains)
-+auth_use_nsswitch(dkim_milter_t)
  
 -miscfiles_read_localization(milter_domains)
-+sysnet_dns_name_resolve(dkim_milter_t)
++dev_read_rand(milter_domains)
++dev_read_urand(milter_domains)
++
++mta_read_config(milter_domains)
++
++sysnet_read_config(greylist_milter_t)
++
++#######################################
++#
++# dkim-milter local policy
++#
++
++allow dkim_milter_t self:capability { kill setgid setuid };
++allow dkim_milter_t self:process signal;
++allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
  
 -logging_send_syslog_msg(milter_domains)
-+mta_read_config(dkim_milter_t)
++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
++
++kernel_read_kernel_sysctls(dkim_milter_t)
++
++auth_use_nsswitch(dkim_milter_t)
++
++sysnet_dns_name_resolve(dkim_milter_t)
  
  ########################################
  #
@@ -35015,9 +35066,7 @@ index 92508b2..38c718c 100644
 -corenet_sendrecv_kismet_server_packets(greylist_milter_t)
 -corenet_tcp_bind_kismet_port(greylist_milter_t)
 -corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
-+dev_read_rand(greylist_milter_t)
-+dev_read_urand(greylist_milter_t)
- 
+-
  corecmd_exec_bin(greylist_milter_t)
  corecmd_exec_shell(greylist_milter_t)
  
@@ -35033,20 +35082,15 @@ index 92508b2..38c718c 100644
 +# The milter runs from /var/lib/milter-greylist and maintains files there
  files_search_var_lib(greylist_milter_t)
  
+-mta_read_config(greylist_milter_t)
+-
+-miscfiles_read_localization(greylist_milter_t)
 +# Look up username for dropping privs
 +auth_use_nsswitch(greylist_milter_t)
-+
-+# Config is in /etc/mail/greylist.conf
- mta_read_config(greylist_milter_t)
- 
--miscfiles_read_localization(greylist_milter_t)
-+
-+sysnet_read_config(greylist_milter_t)
-+
  
  optional_policy(`
  	mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +98,48 @@ optional_policy(`
+@@ -79,30 +112,45 @@ optional_policy(`
  
  ########################################
  #
@@ -35063,11 +35107,9 @@ index 92508b2..38c718c 100644
 +# The milter's socket directory lives under /var/spool
  files_search_spool(regex_milter_t)
  
+-mta_read_config(regex_milter_t)
 +# Look up username for dropping privs
 +auth_use_nsswitch(regex_milter_t)
-+
-+# Config is in /etc/mail/milter-regex.conf
- mta_read_config(regex_milter_t)
  
  ########################################
  #
@@ -37585,11 +37627,47 @@ index 6a306ee..7131f6f 100644
 +tunable_policy(`selinuxuser_execmod',`
 +	userdom_execmod_user_home_files(mozilla_plugin_t)
  ')
+diff --git a/mpd.fc b/mpd.fc
+index 313ce52..6aa46d2 100644
+--- a/mpd.fc
++++ b/mpd.fc
+@@ -9,3 +9,5 @@
+ /var/lib/mpd/playlists(/.*)?	gen_context(system_u:object_r:mpd_data_t,s0)
+ 
+ /var/log/mpd(/.*)?	gen_context(system_u:object_r:mpd_log_t,s0)
++
++/var/run/mpd(/.*)?	gen_context(system_u:object_r:mpd_var_run_t,s0)
 diff --git a/mpd.if b/mpd.if
-index 5fa77c7..a0e8661 100644
+index 5fa77c7..2e01c7d 100644
 --- a/mpd.if
 +++ b/mpd.if
-@@ -344,9 +344,13 @@ interface(`mpd_admin',`
+@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Connect to mpd over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mpd_stream_connect',`
++	gen_require(`
++		type mpd_t, mpd_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to
+ ##	administrate an mpd environment.
+ ## </summary>
+@@ -344,9 +363,13 @@ interface(`mpd_admin',`
  		type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
  	')
  
@@ -37605,10 +37683,20 @@ index 5fa77c7..a0e8661 100644
  	domain_system_change_exemption($1)
  	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index 7c8afcc..200cec1 100644
+index 7c8afcc..0f46305 100644
 --- a/mpd.te
 +++ b/mpd.te
-@@ -74,6 +74,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
+ type mpd_user_data_t;
+ userdom_user_home_content(mpd_user_data_t) # customizable
+ 
++type mpd_var_run_t;
++files_pid_file(mpd_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -74,6 +77,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
  allow mpd_t self:unix_dgram_socket sendto;
  allow mpd_t self:tcp_socket { accept listen };
  allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -37616,7 +37704,19 @@ index 7c8afcc..200cec1 100644
  
  allow mpd_t mpd_data_t:dir manage_dir_perms;
  allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -110,7 +111,6 @@ kernel_read_kernel_sysctls(mpd_t)
+@@ -104,13 +108,18 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+ manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+ files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
+ 
++manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
++files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
++
+ kernel_getattr_proc(mpd_t)
+ kernel_read_system_state(mpd_t)
+ kernel_read_kernel_sysctls(mpd_t)
  
  corecmd_exec_bin(mpd_t)
  
@@ -37624,7 +37724,7 @@ index 7c8afcc..200cec1 100644
  corenet_all_recvfrom_netlabel(mpd_t)
  corenet_tcp_sendrecv_generic_if(mpd_t)
  corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,7 +139,6 @@ dev_read_sound(mpd_t)
+@@ -139,7 +148,6 @@ dev_read_sound(mpd_t)
  dev_write_sound(mpd_t)
  dev_read_sysfs(mpd_t)
  
@@ -37632,7 +37732,7 @@ index 7c8afcc..200cec1 100644
  
  fs_getattr_all_fs(mpd_t)
  fs_list_inotifyfs(mpd_t)
-@@ -150,7 +149,9 @@ auth_use_nsswitch(mpd_t)
+@@ -150,7 +158,9 @@ auth_use_nsswitch(mpd_t)
  
  logging_send_syslog_msg(mpd_t)
  
@@ -37643,7 +37743,7 @@ index 7c8afcc..200cec1 100644
  
  tunable_policy(`mpd_enable_homedirs',`
  	userdom_search_user_home_dirs(mpd_t)
-@@ -199,6 +200,16 @@ optional_policy(`
+@@ -199,6 +209,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39848,10 +39948,18 @@ index b744fe3..4c1b6a8 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index 97370e4..d5f13d8 100644
+index 97370e4..f076c38 100644
 --- a/munin.te
 +++ b/munin.te
-@@ -45,7 +45,7 @@ munin_plugin_template(unconfined)
+@@ -40,12 +40,15 @@ munin_plugin_template(services)
+ munin_plugin_template(system)
+ munin_plugin_template(unconfined)
+ 
++type httpd_munin_script_tmp_t;
++files_tmp_file(httpd_munin_script_tmp_t)
++
+ ################################
+ #
  # Common munin plugin local policy
  #
  
@@ -39860,7 +39968,7 @@ index 97370e4..d5f13d8 100644
  allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
  
  allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,24 +58,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,24 +61,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
  
  manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
  
@@ -39885,7 +39993,7 @@ index 97370e4..d5f13d8 100644
  optional_policy(`
  	nscd_use(munin_plugin_domain)
  ')
-@@ -114,7 +106,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +109,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -39894,7 +40002,7 @@ index 97370e4..d5f13d8 100644
  
  manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
  manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +122,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +125,6 @@ kernel_read_all_sysctls(munin_t)
  corecmd_exec_bin(munin_t)
  corecmd_exec_shell(munin_t)
  
@@ -39902,7 +40010,7 @@ index 97370e4..d5f13d8 100644
  corenet_all_recvfrom_netlabel(munin_t)
  corenet_tcp_sendrecv_generic_if(munin_t)
  corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +144,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +147,6 @@ domain_use_interactive_fds(munin_t)
  domain_read_all_domains_state(munin_t)
  
  files_read_etc_runtime_files(munin_t)
@@ -39910,7 +40018,7 @@ index 97370e4..d5f13d8 100644
  files_list_spool(munin_t)
  
  fs_getattr_all_fs(munin_t)
-@@ -165,7 +155,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +158,6 @@ logging_send_syslog_msg(munin_t)
  logging_read_all_logs(munin_t)
  
  miscfiles_read_fonts(munin_t)
@@ -39918,19 +40026,21 @@ index 97370e4..d5f13d8 100644
  miscfiles_setattr_fonts_cache_dirs(munin_t)
  
  sysnet_exec_ifconfig(munin_t)
-@@ -179,6 +168,11 @@ optional_policy(`
- 	manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- 	manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
- 	apache_search_sys_content(munin_t)
-+
-+	read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
-+	read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
-+
-+	files_search_var_lib(httpd_munin_script_t)
- ')
+@@ -173,13 +165,6 @@ sysnet_exec_ifconfig(munin_t)
+ userdom_dontaudit_use_unpriv_user_fds(munin_t)
+ userdom_dontaudit_search_user_home_dirs(munin_t)
+ 
+-optional_policy(`
+-	apache_content_template(munin)
+-
+-	manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+-	manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+-	apache_search_sys_content(munin_t)
+-')
  
  optional_policy(`
-@@ -213,7 +207,6 @@ optional_policy(`
+ 	cron_system_entry(munin_t, munin_exec_t)
+@@ -213,7 +198,6 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(munin_t)
@@ -39938,7 +40048,7 @@ index 97370e4..d5f13d8 100644
  ')
  
  optional_policy(`
-@@ -246,17 +239,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
+@@ -246,17 +230,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
  corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
  corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
  
@@ -39960,7 +40070,7 @@ index 97370e4..d5f13d8 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -275,27 +268,36 @@ optional_policy(`
+@@ -275,27 +259,36 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -40001,7 +40111,7 @@ index 97370e4..d5f13d8 100644
  ')
  
  optional_policy(`
-@@ -353,7 +355,11 @@ optional_policy(`
+@@ -353,7 +346,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40014,11 +40124,37 @@ index 97370e4..d5f13d8 100644
  ')
  
  optional_policy(`
-@@ -413,3 +419,4 @@ optional_policy(`
+@@ -413,3 +410,30 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
 +
++
++#######################################
++#
++# Munin CGI script local policy
++#
++
++apache_content_template(munin)
++
++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++
++manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
++manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
++
++read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
++read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
++
++allow httpd_munin_script_t munin_log_t:file read_file_perms;
++
++files_search_var_lib(httpd_munin_script_t)
++
++auth_read_passwd(httpd_munin_script_t)
++
++optional_policy(`
++	apache_search_sys_content(munin_t)
++')
 diff --git a/mysql.fc b/mysql.fc
 index c48dc17..43f60de 100644
 --- a/mysql.fc
@@ -49745,7 +49881,7 @@ index d2fc677..22b745a 100644
 +	logging_send_syslog_msg(pegasus_openlmi_$1_t)
  ')
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..0ff4cb5 100644
+index 7bcf327..850de84 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -49905,7 +50041,7 @@ index 7bcf327..0ff4cb5 100644
 +')
 +
 +optional_policy(`
-+	corosync_stream_connect(pegasus_t)
++	rhcs_stream_connect_cluster(pegasus_t)
  ')
  
  optional_policy(`
@@ -56910,7 +57046,7 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index d447152..6f83f03 100644
+index d447152..5940a04 100644
 --- a/procmail.te
 +++ b/procmail.te
 @@ -1,4 +1,4 @@
@@ -56945,12 +57081,13 @@ index d447152..6f83f03 100644
  allow procmail_t procmail_log_t:dir setattr_dir_perms;
  create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
  append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,59 +44,71 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,59 +44,72 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
  
 -can_exec(procmail_t, procmail_exec_t)
 -
++kernel_read_network_state(procmail_t)
  kernel_read_system_state(procmail_t)
  kernel_read_kernel_sysctls(procmail_t)
  
@@ -57044,7 +57181,7 @@ index d447152..6f83f03 100644
  ')
  
  optional_policy(`
-@@ -100,12 +116,7 @@ optional_policy(`
+@@ -100,12 +117,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57058,7 +57195,7 @@ index d447152..6f83f03 100644
  ')
  
  optional_policy(`
-@@ -113,16 +124,17 @@ optional_policy(`
+@@ -113,16 +125,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57081,7 +57218,7 @@ index d447152..6f83f03 100644
  ')
  
  optional_policy(`
-@@ -131,6 +143,8 @@ optional_policy(`
+@@ -131,6 +144,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60879,7 +61016,7 @@ index cd51b96..f7e9c70 100644
 +    admin_pattern($1, qpidd_var_run_t)
  ')
 diff --git a/qpid.te b/qpid.te
-index 76f5b39..599b6cd 100644
+index 76f5b39..53f9a64 100644
 --- a/qpid.te
 +++ b/qpid.te
 @@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
@@ -60929,7 +61066,8 @@ index 76f5b39..599b6cd 100644
  sysnet_dns_name_resolve(qpidd_t)
  
  optional_policy(`
- 	corosync_stream_connect(qpidd_t)
+-	corosync_stream_connect(qpidd_t)
++	rhcs_stream_connect_cluster(qpidd_t)
  ')
 +
 diff --git a/quantum.fc b/quantum.fc
@@ -63522,10 +63660,10 @@ index b418d1c..1ad9c12 100644
  	xen_domtrans_xm(rgmanager_t)
  ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..d022603 100644
+index 47de2d6..1f5dbf8 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,31 @@
+@@ -1,31 +1,74 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -63580,8 +63718,51 @@ index 47de2d6..d022603 100644
 +/var/run/gfs_controld\.pid		--	gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
 +/var/run/groupd\.pid			--	gen_context(system_u:object_r:groupd_var_run_t,s0)
 +/var/run/qdiskd\.pid			--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
++
++# cluster administrative domains file spec
++/etc/rc\.d/init\.d/openais  --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/cpglockd         --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/corosync --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rgmanager          --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/heartbeat    --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pacemaker    --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/corosync.*  -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/pacemaker.* --  gen_context(system_u:object_r:cluster_unit_file_t,s0)
++
++/usr/sbin/aisexec   		--  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/corosync  		--  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/corosync-notifyd  --  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/cpglockd			--	gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/ccs_tool      	--  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/cman_tool     	--  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/rgmanager         --  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/pacemakerd    	--  gen_context(system_u:object_r:cluster_exec_t,s0)
++
++/usr/lib/heartbeat(/.*)?			gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/usr/lib/heartbeat/heartbeat   -- 	gen_context(system_u:object_r:cluster_exec_t,s0)
++/var/lib/heartbeat(/.*)?			gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/corosync(/.*)? 			gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/openais(/.*)?  			gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/pacemaker(/.*)?			gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/pengine(/.*)?				gen_context(system_u:object_r:cluster_var_lib_t,s0)
++
++/var/run/aisexec.*  				gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/cman_.*    				-s  gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/cluster/rgmanager\.sk      -s  gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/cpglockd\.pid			--	gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/corosync\.pid 			--  gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/crm(/.*)?					gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/heartbeat(/.*)?            gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/rgmanager\.pid         --  gen_context(system_u:object_r:cluster_var_run_t,s0)
++/var/run/rsctmp(/.*)?   			gen_context(system_u:object_r:cluster_var_run_t,s0)
++
++/var/log/cluster/aisexec\.log.* --  gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/cluster/cpglockd\.log.*        --      gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/cluster/corosync\.log.*    --  gen_context(system_u:object_r:cluster_var_log_t,s0)
++/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..aee7ba7 100644
+index 56bc01f..f0a05e8 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -63943,7 +64124,7 @@ index 56bc01f..aee7ba7 100644
  ')
  
  ######################################
-@@ -446,52 +456,77 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +456,303 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -63991,31 +64172,104 @@ index 56bc01f..aee7ba7 100644
  
 -	allow $1 cluster_domain:process { ptrace signal_perms };
 -	ps_process_pattern($1, cluster_domain)
--
++	files_search_var_lib($1)
++	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
++
++#####################################
++## <summary>
++##  Allow domain to manage cluster lib files
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_lib_files',`
++    gen_require(`
++        type cluster_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
+ 
 -	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
 -	domain_system_change_exemption($1)
 -	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
 -	allow $2 system_r;
--
++####################################
++## <summary>
++##  Allow domain to relabel cluster lib files
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`rhcs_relabel_cluster_lib_files',`
++    gen_require(`
++        type cluster_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
+ 
 -	files_search_pids($1)
 -	admin_pattern($1, cluster_pid)
--
++######################################
++## <summary>
++##  Execute a domain transition to run cluster administrative domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`rhcs_domtrans_cluster',`
++    gen_require(`
++        type cluster_t, cluster_exec_t;
++    ')
+ 
 -	files_search_locks($1)
 -	admin_pattern($1, fenced_lock_t)
--
++    corecmd_search_bin($1)
++    domtrans_pattern($1, cluster_exec_t, cluster_t)
++')
+ 
 -	files_search_tmp($1)
 -	admin_pattern($1, fenced_tmp_t)
--
- 	files_search_var_lib($1)
++#######################################
++## <summary>
++##  Execute cluster init scripts in
++##  the init script domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`rhcs_initrc_domtrans_cluster',`
++    gen_require(`
++        type cluster_initrc_exec_t;
++    ')
+ 
+-	files_search_var_lib($1)
 -	admin_pattern($1, qdiskd_var_lib_t)
-+	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +')
  
 -	fs_search_tmpfs($1)
 -	admin_pattern($1, cluster_tmpfs)
 +#####################################
 +## <summary>
-+##  Allow domain to manage cluster lib files
++##  Execute cluster in the caller domain.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
@@ -64023,20 +64277,18 @@ index 56bc01f..aee7ba7 100644
 +##  </summary>
 +## </param>
 +#
-+interface(`rhcs_manage_cluster_lib_files',`
++interface(`rhcs_exec_cluster',`
 +    gen_require(`
-+        type cluster_var_lib_t;
++        type cluster_exec_t;
 +    ')
- 
--	logging_search_logs($1)
--	admin_pattern($1, cluster_log)
-+    files_search_var_lib($1)
-+    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++
++    corecmd_search_bin($1)
++    can_exec($1, cluster_exec_t)
 +')
 +
-+####################################
++######################################
 +## <summary>
-+##  Allow domain to relabel cluster lib files
++##  Read cluster log files.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
@@ -64044,53 +64296,464 @@ index 56bc01f..aee7ba7 100644
 +##  </summary>
 +## </param>
 +#
-+interface(`rhcs_relabel_cluster_lib_files',`
++interface(`rhcs_read_log_cluster',`
 +    gen_require(`
-+        type cluster_var_lib_t;
++        type cluster_var_log_t;
 +    ')
 +
-+    files_search_var_lib($1)
-+    relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
-+	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++    logging_search_logs($1)
++    list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t)
++    read_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
++')
++
++######################################
++## <summary>
++##  Setattr cluster log files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`rhcs_setattr_log_cluster',`
++    gen_require(`
++        type cluster_var_log_t;
++    ')
++
++    setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
++')
++
++#####################################
++## <summary>
++##  Allow manage cluster tmp files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_tmp_files',`
++    gen_require(`
++        type cluster_tmp_t;
++    ')
++
++    files_search_tmp($1)
++    manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t)
++')
++
++#####################################
++## <summary>
++##  Allow the specified domain to read/write cluster's tmpfs files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`rhcs_rw_cluster_tmpfs',`
++    gen_require(`
++        type cluster_tmpfs_t;
++    ')
++
++    rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++')
++
++#####################################
++## <summary>
++##  Allow manage cluster tmpfs files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_tmpfs_files',`
++    gen_require(`
++        type rgmanager_tmpfs_t;
++    ')
++
++    fs_search_tmpfs($1)
++    manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++')
++
++#######################################
++## <summary>
++##  Execute cluster server in the cluster domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`rhcs_systemctl_cluster',`
++    gen_require(`
++        type cluster_t;
++        type cluster_unit_file_t;
++    ')
++
++    systemd_exec_systemctl($1)
++    allow $1 cluster_unit_file_t:file read_file_perms;
++    allow $1 cluster_unit_file_t:service manage_service_perms;
++
++    ps_process_pattern($1, cluster_t)
++')
++
++#####################################
++## <summary>
++##  All of the rules required to administrate
++##  an cluster environment
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  The role to be allowed to manage the rgmanager domain.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rhcs_admin_cluster',`
++    gen_require(`
++        type cluster_t, cluster_initrc_exec_t, cluster_tmp_t;
++        type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
++		type cluster_unit_file_t;
++    ')
++
++    allow $1 cluster_t:process signal_perms;
++    ps_process_pattern($1, cluster_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 cluster_t:process ptrace;
++    ')
++
++    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
++    domain_system_change_exemption($1)
++    role_transition $2 cluster_initrc_exec_t system_r;
++    allow $2 system_r;
++
++    files_list_tmp($1)
++    admin_pattern($1, cluster_tmp_t)
++
++    admin_pattern($1, cluster_tmpfs_t)
++
++    logging_list_logs($1)
++    admin_pattern($1, cluster_var_log_t)
++
++    files_list_pids($1)
++    admin_pattern($1, cluster_var_run_t)
+ 
+-	logging_search_logs($1)
+-	admin_pattern($1, cluster_log)
++    rhcs_systemctl_cluster($1)
++    admin_pattern($1, cluster_unit_file_t)
++    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..d8bf297 100644
+index 2c2de9a..a1461c9 100644
 --- a/rhcs.te
 +++ b/rhcs.te
-@@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd)
+@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
+ ## </desc>
+ gen_tunable(fenced_can_ssh, false)
+ 
++## <desc>
++## <p>
++## Allow cluster administrative domains to connect to the network using TCP.
++## </p>
++## </desc>
++gen_tunable(cluster_can_network_connect, false)
++
++## <desc>
++## <p>
++## Allow cluster administrative domains to manage all files on a system.
++## </p>
++## </desc>
++gen_tunable(cluster_manage_all_files, false)
++
++## <desc>
++## <p>
++## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
++## </p>
++## </desc>
++gen_tunable(cluster_use_execmem, false)
++
+ attribute cluster_domain;
+ attribute cluster_log;
+ attribute cluster_pid;
+@@ -50,28 +71,259 @@ rhcs_domain_template(qdiskd)
  type qdiskd_var_lib_t;
  files_type(qdiskd_var_lib_t)
  
-+# type for cluster lib files
++# cluster_t is a new domain for administrative generic cluster services 
++# (rgmanager, corosync, hearbeat, cman, pacemaker)
++rhcs_domain_template(cluster)
++
++typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };
++typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t };
++typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t };
++typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t };
++typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t };
++
++type cluster_initrc_exec_t;
++typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker rgmanager_initrc_exec_t };
++init_script_file(cluster_initrc_exec_t)
++
++type cluster_tmp_t;
++typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t };
++files_tmp_file(cluster_tmp_t)
++
 +type cluster_var_lib_t;
++typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t };
 +files_type(cluster_var_lib_t)
 +
++type cluster_unit_file_t;
++typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t };
++systemd_unit_file(cluster_unit_file_t)
++
  #####################################
  #
  # Common cluster domains local policy
-@@ -62,10 +66,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
+ #
+ 
+ allow cluster_domain self:capability sys_nice;
+-allow cluster_domain self:process setsched;
++allow cluster_domain self:process { signal setsched };
+ allow cluster_domain self:sem create_sem_perms;
+ allow cluster_domain self:fifo_file rw_fifo_file_perms;
  allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
  allow cluster_domain self:unix_dgram_socket create_socket_perms;
  
 -logging_send_syslog_msg(cluster_domain)
--
++optional_policy(`
++	ccs_stream_connect(cluster_domain)
++')
++
++optional_policy(`
++	dbus_system_bus_client(cluster_domain)
++')
++
++#####################################
++#
++# cluster domain local policy
++#
+ 
 -miscfiles_read_localization(cluster_domain)
--
++allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
++# for hearbeat
++allow cluster_t self:capability { net_raw chown };
++allow cluster_t self:capability2 block_suspend;
++allow cluster_t self:process { setpgid setrlimit setsched signull };
++
++allow cluster_t self:tcp_socket create_stream_socket_perms;
++allow cluster_t self:shm create_shm_perms;
++
++manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
++manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
++files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir })
++
++can_exec(cluster_t, cluster_var_lib_t)
++manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
++files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file })
++
++can_exec(cluster_t, cluster_exec_t)
++
++kernel_kill(cluster_t)
++kernel_read_all_sysctls(cluster_t)
++kernel_read_system_state(cluster_t)
++kernel_rw_rpc_sysctls(cluster_t)
++kernel_search_debugfs(cluster_t)
++kernel_search_network_state(cluster_t)
++
++corecmd_exec_bin(cluster_t)
++corecmd_exec_shell(cluster_t)
++
++corenet_all_recvfrom_unlabeled(cluster_t)
++corenet_all_recvfrom_netlabel(cluster_t)
++corenet_udp_sendrecv_generic_if(cluster_t)
++corenet_udp_sendrecv_generic_node(cluster_t)
++corenet_udp_bind_generic_node(cluster_t)
++
++corenet_sendrecv_netsupport_server_packets(cluster_t)
++corenet_udp_bind_netsupport_port(cluster_t)
++corenet_udp_sendrecv_netsupport_port(cluster_t)
++
++corenet_sendrecv_cluster_server_packets(cluster_t)
++corenet_udp_bind_cluster_port(cluster_t)
++corenet_udp_sendrecv_cluster_port(cluster_t)
++
++# need to write to /dev/misc/dlm-contro
++dev_rw_dlm_control(cluster_t)
++dev_setattr_dlm_control(cluster_t)
++dev_read_sysfs(cluster_t)
++dev_read_rand(cluster_t)
++dev_read_urand(cluster_t)
++
++domain_read_all_domains_state(cluster_t)
++
++fs_getattr_xattr_fs(cluster_t)
++fs_getattr_all_fs(cluster_t)
++
++storage_raw_read_fixed_disk(cluster_t)
++
++term_getattr_pty_fs(cluster_t)
++
++files_manage_mounttab(cluster_t)
++# needed by resources scripts
++files_read_non_security_files(cluster_t)
++auth_dontaudit_getattr_shadow(cluster_t)
++
++init_domtrans_script(cluster_t)
++init_initrc_domain(cluster_t)
++init_read_script_state(cluster_t)
++init_rw_script_tmp_files(cluster_t)
++init_manage_script_status_files(cluster_t)
++
++userdom_read_user_tmp_files(cluster_t)
++userdom_delete_user_tmpfs_files(cluster_t)
++userdom_rw_user_tmpfs_files(cluster_t)
++userdom_kill_all_users(cluster_t)
++
++tunable_policy(`cluster_can_network_connect',`
++    corenet_tcp_connect_all_ports(cluster_t)
++')
++
++tunable_policy(`cluster_manage_all_files',`
++	files_create_var_run_dirs(cluster_t)
++	files_getattr_all_symlinks(cluster_t)
++	files_list_all(cluster_t)
++	files_manage_mnt_dirs(cluster_t)
++	files_manage_mnt_files(cluster_t)
++	files_manage_mnt_symlinks(cluster_t)
++	files_manage_isid_type_files(cluster_t)
++	files_manage_isid_type_dirs(cluster_t)
++	fs_manage_tmpfs_files(cluster_t)
++')
+ 
  optional_policy(`
- 	ccs_stream_connect(cluster_domain)
- ')
-@@ -74,6 +74,10 @@ optional_policy(`
- 	corosync_stream_connect(cluster_domain)
+-	ccs_stream_connect(cluster_domain)
++    ccs_read_config(cluster_t)
  ')
  
+ optional_policy(`
+-	corosync_stream_connect(cluster_domain)
++    cmirrord_rw_shm(cluster_t)
++')
++
 +optional_policy(`
-+	dbus_system_bus_client(cluster_domain)
++    consoletype_exec(cluster_t)
++')
++
++optional_policy(`
++    lvm_domtrans(cluster_t)
++	lvm_rw_clvmd_tmpfs_files(cluster_t)
++    lvm_delete_clvmd_tmpfs_files(cluster_t)
++')
++
++optional_policy(`
++    fstools_domtrans(cluster_t)
++')
++
++
++optional_policy(`
++    hostname_exec(cluster_t)
++')
++
++optional_policy(`
++    ccs_manage_config(cluster_t)
++    ccs_stream_connect(cluster_t)
++')
++
++optional_policy(`
++    ldap_systemctl(cluster_t)
++')
++
++optional_policy(`
++    mount_domtrans(cluster_t)
++')
++
++optional_policy(`
++    mysql_domtrans_mysql_safe(cluster_t)
++    mysql_stream_connect(cluster_t)
++')
++
++optional_policy(`
++    netutils_domtrans(cluster_t)
++    netutils_domtrans_ping(cluster_t)
++')
++
++optional_policy(`
++    postgresql_signal(cluster_t)
 +')
 +
++optional_policy(`
++	rhcs_getattr_fenced(cluster_t)
++	rhcs_rw_cluster_shm(cluster_t)
++    rhcs_rw_cluster_semaphores(cluster_t)
++    rhcs_stream_connect_cluster(cluster_t)
++    rhcs_relabel_cluster_lib_files(cluster_t)
++')
++
++optional_policy(`
++    rdisc_exec(cluster_t)
++')
++
++optional_policy(`
++    ricci_dontaudit_rw_modcluster_pipes(cluster_t)
++')
++
++optional_policy(`
++    rpc_systemctl_nfsd(cluster_t)
++    rpc_systemctl_rpcd(cluster_t)
++
++    rpc_domtrans_nfsd(cluster_t)
++    rpc_domtrans_rpcd(cluster_t)
++    rpc_manage_nfs_state_data(cluster_t)
++')
++
++optional_policy(`
++    samba_manage_var_files(cluster_t)
++    samba_rw_config(cluster_t)
++    samba_signal_smbd(cluster_t)
++    samba_signal_nmbd(cluster_t)
++')
++
++optional_policy(`
++    sysnet_domtrans_ifconfig(cluster_t)
++')
++
++optional_policy(`
++    udev_read_db(cluster_t)
++')
++
++optional_policy(`
++    virt_stream_connect(cluster_t)
++')
++
++optional_policy(`
++    unconfined_domain(cluster_t)
++')
++
++optional_policy(`
++    wdmd_rw_tmpfs(cluster_t)
++')
++
++optional_policy(`
++    xen_domtrans_xm(cluster_t)
+ ')
+ 
  #####################################
- #
- # dlm_controld local policy
-@@ -98,6 +102,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,6 +350,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -64103,7 +64766,7 @@ index 2c2de9a..d8bf297 100644
  #######################################
  #
  # fenced local policy
-@@ -105,9 +115,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +363,13 @@ init_rw_script_tmp_files(dlm_controld_t)
  
  allow fenced_t self:capability { sys_rawio sys_resource };
  allow fenced_t self:process { getsched signal_perms };
@@ -64118,7 +64781,7 @@ index 2c2de9a..d8bf297 100644
  manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
  files_lock_filetrans(fenced_t, fenced_lock_t, file)
  
-@@ -118,9 +132,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +380,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -64129,7 +64792,7 @@ index 2c2de9a..d8bf297 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -148,9 +161,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +409,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -64140,7 +64803,7 @@ index 2c2de9a..d8bf297 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +171,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +419,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -64149,7 +64812,7 @@ index 2c2de9a..d8bf297 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +201,6 @@ optional_policy(`
+@@ -190,10 +449,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64160,7 +64823,7 @@ index 2c2de9a..d8bf297 100644
  	lvm_domtrans(fenced_t)
  	lvm_read_config(fenced_t)
  ')
-@@ -203,6 +210,13 @@ optional_policy(`
+@@ -203,6 +458,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -64174,7 +64837,7 @@ index 2c2de9a..d8bf297 100644
  #######################################
  #
  # foghorn local policy
-@@ -223,7 +237,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,7 +485,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
  dev_read_urand(foghorn_t)
  
@@ -64184,7 +64847,7 @@ index 2c2de9a..d8bf297 100644
  
  optional_policy(`
  	dbus_connect_system_bus(foghorn_t)
-@@ -257,6 +272,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +520,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -64193,7 +64856,7 @@ index 2c2de9a..d8bf297 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +292,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +540,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -64206,7 +64869,7 @@ index 2c2de9a..d8bf297 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +338,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +586,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -65218,7 +65881,7 @@ index 2ab3ed1..23d579c 100644
  	role_transition $2 ricci_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/ricci.te b/ricci.te
-index 9702ed2..fa21335 100644
+index 9702ed2..eeb9e48 100644
 --- a/ricci.te
 +++ b/ricci.te
 @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -65246,20 +65909,31 @@ index 9702ed2..fa21335 100644
  sysnet_dns_name_resolve(ricci_t)
  
  optional_policy(`
-@@ -235,9 +231,9 @@ init_domtrans_script(ricci_modcluster_t)
+@@ -235,13 +231,8 @@ init_domtrans_script(ricci_modcluster_t)
  
  logging_send_syslog_msg(ricci_modcluster_t)
  
 -miscfiles_read_localization(ricci_modcluster_t)
 -
 -ricci_stream_connect_modclusterd(ricci_modcluster_t)
-+optional_policy(`
+-
+ optional_policy(`
+-	aisexec_stream_connect(ricci_modcluster_t)
+-	corosync_stream_connect(ricci_modcluster_t)
 +	ricci_stream_connect_modclusterd(ricci_modcluster_t)
-+')
+ ')
  
  optional_policy(`
- 	aisexec_stream_connect(ricci_modcluster_t)
-@@ -336,8 +332,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+@@ -271,7 +262,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	rgmanager_stream_connect(ricci_modcluster_t)
++	rhcs_stream_connect_cluster(ricci_modcluster_t)
+ ')
+ 
+ ########################################
+@@ -336,23 +327,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
  
  logging_send_syslog_msg(ricci_modclusterd_t)
  
@@ -65268,7 +65942,23 @@ index 9702ed2..fa21335 100644
  sysnet_domtrans_ifconfig(ricci_modclusterd_t)
  
  optional_policy(`
-@@ -374,12 +368,10 @@ corecmd_exec_bin(ricci_modlog_t)
+-	aisexec_stream_connect(ricci_modclusterd_t)
+-	corosync_stream_connect(ricci_modclusterd_t)
+-')
+-
+-optional_policy(`
+ 	ccs_domtrans(ricci_modclusterd_t)
+ 	ccs_stream_connect(ricci_modclusterd_t)
+ 	ccs_read_config(ricci_modclusterd_t)
+ ')
+ 
+ optional_policy(`
+-	rgmanager_stream_connect(ricci_modclusterd_t)
++	rhcs_stream_connect_cluster(ricci_modclusterd_t)
+ ')
+ 
+ optional_policy(`
+@@ -374,12 +358,10 @@ corecmd_exec_bin(ricci_modlog_t)
  
  domain_read_all_domains_state(ricci_modlog_t)
  
@@ -65281,7 +65971,7 @@ index 9702ed2..fa21335 100644
  
  optional_policy(`
  	nscd_dontaudit_search_pid(ricci_modlog_t)
-@@ -401,9 +393,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
+@@ -401,9 +383,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
  corecmd_exec_bin(ricci_modrpm_t)
  
  files_search_usr(ricci_modrpm_t)
@@ -65292,7 +65982,7 @@ index 9702ed2..fa21335 100644
  
  optional_policy(`
  	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-@@ -428,14 +419,13 @@ kernel_read_system_state(ricci_modservice_t)
+@@ -428,14 +409,13 @@ kernel_read_system_state(ricci_modservice_t)
  corecmd_exec_bin(ricci_modservice_t)
  corecmd_exec_shell(ricci_modservice_t)
  
@@ -65308,7 +65998,7 @@ index 9702ed2..fa21335 100644
  
  optional_policy(`
  	ccs_read_config(ricci_modservice_t)
-@@ -460,7 +450,6 @@ optional_policy(`
+@@ -460,7 +440,6 @@ optional_policy(`
  
  allow ricci_modstorage_t self:capability { mknod sys_nice };
  allow ricci_modstorage_t self:process { setsched signal };
@@ -65316,7 +66006,7 @@ index 9702ed2..fa21335 100644
  allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
  
  kernel_read_kernel_sysctls(ricci_modstorage_t)
-@@ -480,16 +469,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
+@@ -480,21 +459,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
  
  files_manage_etc_files(ricci_modstorage_t)
  files_read_etc_runtime_files(ricci_modstorage_t)
@@ -65334,13 +66024,18 @@ index 9702ed2..fa21335 100644
  term_dontaudit_use_console(ricci_modstorage_t)
  
 -logging_send_syslog_msg(ricci_modstorage_t)
+-
+-miscfiles_read_localization(ricci_modstorage_t)
 +auth_use_nsswitch(ricci_modstorage_t)
  
--miscfiles_read_localization(ricci_modstorage_t)
+-optional_policy(`
+-	aisexec_stream_connect(ricci_modstorage_t)
+-	corosync_stream_connect(ricci_modstorage_t)
+-')
 +logging_send_syslog_msg(ricci_modstorage_t)
  
  optional_policy(`
- 	aisexec_stream_connect(ricci_modstorage_t)
+ 	ccs_stream_connect(ricci_modstorage_t)
 diff --git a/rlogin.fc b/rlogin.fc
 index f111877..e361ee9 100644
 --- a/rlogin.fc
@@ -66099,7 +66794,7 @@ index 3bd6446..a61764b 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/rpc.te b/rpc.te
-index e5212e6..37860b7 100644
+index e5212e6..699925d 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -1,4 +1,4 @@
@@ -66288,25 +66983,25 @@ index e5212e6..37860b7 100644
  optional_policy(`
 -	nis_read_ypserv_config(rpcd_t)
 +	domain_unconfined_signal(rpcd_t)
++')
++
++optional_policy(`
++	quota_manage_db(rpcd_t)
  ')
  
  optional_policy(`
 -	quota_manage_db_files(rpcd_t)
-+	quota_manage_db(rpcd_t)
++	nis_read_ypserv_config(rpcd_t)
  ')
  
  optional_policy(`
 -	rgmanager_manage_tmp_files(rpcd_t)
-+	nis_read_ypserv_config(rpcd_t)
++	quota_read_db(rpcd_t)
  ')
  
  optional_policy(`
 -	unconfined_signal(rpcd_t)
-+	quota_read_db(rpcd_t)
-+')
-+
-+optional_policy(`
-+	rgmanager_manage_tmp_files(rpcd_t)
++	rhcs_manage_cluster_tmp_files(rpcd_t)
  ')
  
  ########################################
@@ -68164,7 +68859,7 @@ index f1140ef..c5bd83a 100644
 +	files_etc_filetrans($1, rsync_etc_t, $2, $3)
  ')
 diff --git a/rsync.te b/rsync.te
-index e3e7c96..2574954 100644
+index e3e7c96..68cba2d 100644
 --- a/rsync.te
 +++ b/rsync.te
 @@ -1,4 +1,4 @@
@@ -68173,7 +68868,7 @@ index e3e7c96..2574954 100644
  
  ########################################
  #
-@@ -6,67 +6,60 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2)
  #
  
  ## <desc>
@@ -68182,12 +68877,12 @@ index e3e7c96..2574954 100644
 -##	cifs file systems.
 -##	</p>
 +## <p>
-+## Allow rsync servers to share cifs files systems
++## Allow rsync to run as a client
 +## </p>
  ## </desc>
- gen_tunable(rsync_use_cifs, false)
- 
- ## <desc>
+-gen_tunable(rsync_use_cifs, false)
+-
+-## <desc>
 -##	<p>
 -##	Determine whether rsync can
 -##	use fuse file systems.
@@ -68200,11 +68895,9 @@ index e3e7c96..2574954 100644
 -##	Determine whether rsync can use
 -##	nfs file systems.
 -##	</p>
-+## <p>
-+## Allow rsync servers to share nfs files systems
-+## </p>
- ## </desc>
- gen_tunable(rsync_use_nfs, false)
+-## </desc>
+-gen_tunable(rsync_use_nfs, false)
++gen_tunable(rsync_client, false)
  
  ## <desc>
 -##	<p>
@@ -68212,10 +68905,11 @@ index e3e7c96..2574954 100644
 -##	run as a client
 -##	</p>
 +## <p>
-+## Allow rsync to run as a client
++## Allow rsync to export any files/directories read only.
 +## </p>
  ## </desc>
- gen_tunable(rsync_client, false)
+-gen_tunable(rsync_client, false)
++gen_tunable(rsync_export_all_ro, false)
  
  ## <desc>
 -##	<p>
@@ -68223,21 +68917,15 @@ index e3e7c96..2574954 100644
 -##	export all content read only.
 -##	</p>
 +## <p>
-+## Allow rsync to export any files/directories read only.
-+## </p>
- ## </desc>
- gen_tunable(rsync_export_all_ro, false)
- 
- ## <desc>
-+## <p>
 +## Allow rsync to modify public files
 +## used for public file transfer services.  Files/Directories must be
 +## labeled public_content_rw_t.
 +## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(rsync_export_all_ro, false)
 +gen_tunable(rsync_anon_write, false)
-+
-+## <desc>
+ 
+ ## <desc>
  ##	<p>
 -##	Determine whether rsync can modify
 -##	public files used for public file
@@ -68268,7 +68956,7 @@ index e3e7c96..2574954 100644
  files_type(rsync_data_t)
  
  type rsync_log_t;
-@@ -86,15 +79,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
  allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
  allow rsync_t self:process signal_perms;
  allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -68299,7 +68987,7 @@ index e3e7c96..2574954 100644
  logging_log_filetrans(rsync_t, rsync_log_t, file)
  
  manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +111,76 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +97,76 @@ kernel_read_kernel_sysctls(rsync_t)
  kernel_read_system_state(rsync_t)
  kernel_read_network_state(rsync_t)
  
@@ -75129,7 +75817,7 @@ index 7a9cc9d..86cbca9 100644
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/snmp.te b/snmp.te
-index 81864ce..a56b827 100644
+index 81864ce..54a1bc6 100644
 --- a/snmp.te
 +++ b/snmp.te
 @@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t)
@@ -75195,6 +75883,15 @@ index 81864ce..a56b827 100644
  
  seutil_dontaudit_search_config(snmpd_t)
  
+@@ -131,7 +133,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	corosync_stream_connect(snmpd_t)
++	rhcs_stream_connect_cluster(snmpd_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/snort.if b/snort.if
 index 7d86b34..5f58180 100644
 --- a/snort.if
@@ -86819,18 +87516,23 @@ index 1e3aec0..d17ff39 100644
 +
  ')
 diff --git a/wdmd.te b/wdmd.te
-index ebbdaf6..63c53ba 100644
+index ebbdaf6..956f8f0 100644
 --- a/wdmd.te
 +++ b/wdmd.te
-@@ -51,8 +51,6 @@ auth_use_nsswitch(wdmd_t)
+@@ -51,10 +51,8 @@ auth_use_nsswitch(wdmd_t)
  
  logging_send_syslog_msg(wdmd_t)
  
 -miscfiles_read_localization(wdmd_t)
 -
  optional_policy(`
- 	corosync_initrc_domtrans(wdmd_t)
- 	corosync_stream_connect(wdmd_t)
+-	corosync_initrc_domtrans(wdmd_t)
+-	corosync_stream_connect(wdmd_t)
+-	corosync_rw_tmpfs(wdmd_t)
++	rhcs_initrc_domtrans_cluster(wdmd_t)
++	rhcs_stream_connect_cluster(wdmd_t)
++	rhcs_rw_cluster_tmpfs(wdmd_t)
+ ')
 diff --git a/webadm.te b/webadm.te
 index 708254f..d26f598 100644
 --- a/webadm.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 45f4167..1d8a7f4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 16%{?dist}
+Release: 18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -230,7 +230,7 @@ if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
      rm -f ${FILE_CONTEXT}.pre; \
 fi; \
 /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
-/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;
+/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \
 
 %define preInstall() \
 if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
@@ -253,7 +253,7 @@ fi;
 . %{_sysconfdir}/selinux/config; \
 if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
-   (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp ) \
+   (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
    /usr/sbin/semodule -B -n -s %2; \
 else \
     touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
@@ -526,6 +526,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Mar 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-18
+- Fix POSTIN scriptlet
+
+* Fri Mar 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-17
+- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp
+
 * Wed Feb 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-16
 - Fix authconfig.py labeling
 - Make any domains that write homedir content do it correctly