diff --git a/policy-F16.patch b/policy-F16.patch
index eab41fe..39e0a72 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -8570,10 +8570,10 @@ index 0000000..8d7c751
 +')
 diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
 new file mode 100644
-index 0000000..6d4ec21
+index 0000000..a337d62
 --- /dev/null
 +++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,42 @@
 +policy_module(namespace,1.0.0)
 +
 +########################################
@@ -8598,6 +8598,8 @@ index 0000000..6d4ec21
 +
 +kernel_read_system_state(namespace_init_t)
 +
++corecmd_exec_shell(namespace_init_t)
++
 +domain_use_interactive_fds(namespace_init_t)
 +
 +files_read_etc_files(namespace_init_t)
@@ -12554,7 +12556,7 @@ index 223ad43..d95e720 100644
  	rsync_exec(yam_t)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..37d3b99 100644
+index 3fae11a..c82360e 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -12791,7 +12793,7 @@ index 3fae11a..37d3b99 100644
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +401,11 @@ ifdef(`distro_suse', `
+@@ -385,3 +401,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -12800,6 +12802,7 @@ index 3fae11a..37d3b99 100644
 +# /usr/lib
 +#
 +
++/usr/lib/iscan/network				--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/ruby/gems/.*/agents(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/virtualbox/VBoxManage		--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/yp/.+						--	gen_context(system_u:object_r:bin_t,s0)
@@ -21553,7 +21556,7 @@ index 2be17d2..de3c13e 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..b8f0df4 100644
+index e14b961..37bdf8d 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
@@ -21663,7 +21666,7 @@ index e14b961..b8f0df4 100644
  optional_policy(`
 -	consoletype_run(sysadm_t, sysadm_r)
 +	cron_admin_role(sysadm_r, sysadm_t)
-+	cron_role(sysadm_r, sysadm_t)
++	#cron_role(sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
@@ -27260,7 +27263,7 @@ index 44a1e3d..7cc67ec 100644
 +	named_systemctl($1)
  ')
 diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..fc86505 100644
+index 4deca04..7859fa1 100644
 --- a/policy/modules/services/bind.te
 +++ b/policy/modules/services/bind.te
 @@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@@ -27334,18 +27337,20 @@ index 4deca04..fc86505 100644
  tunable_policy(`named_write_master_zones',`
  	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
  	manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -154,6 +170,10 @@ tunable_policy(`named_write_master_zones',`
+@@ -154,6 +170,12 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
++	# needed by FreeIPA with DNS support
 +	dirsrv_stream_connect(named_t)
++	ldap_stream_connect(named_t)
 +')
 +
 +optional_policy(`
  	init_dbus_chat_script(named_t)
  
  	sysnet_dbus_chat_dhcpc(named_t)
-@@ -198,18 +218,18 @@ allow ndc_t self:process { fork signal_perms };
+@@ -198,18 +220,18 @@ allow ndc_t self:process { fork signal_perms };
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
  allow ndc_t self:tcp_socket create_socket_perms;
@@ -27367,7 +27372,7 @@ index 4deca04..fc86505 100644
  kernel_read_kernel_sysctls(ndc_t)
  
  corenet_all_recvfrom_unlabeled(ndc_t)
-@@ -228,6 +248,8 @@ files_search_pids(ndc_t)
+@@ -228,6 +250,8 @@ files_search_pids(ndc_t)
  
  fs_getattr_xattr_fs(ndc_t)
  
@@ -27376,7 +27381,7 @@ index 4deca04..fc86505 100644
  init_use_fds(ndc_t)
  init_use_script_ptys(ndc_t)
  
-@@ -235,24 +257,13 @@ logging_send_syslog_msg(ndc_t)
+@@ -235,24 +259,13 @@ logging_send_syslog_msg(ndc_t)
  
  miscfiles_read_localization(ndc_t)
  
@@ -29917,7 +29922,7 @@ index 1f11572..717fb8d 100644
  
  	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..4bc077f 100644
+index f758323..4c06224 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -1,9 +1,16 @@
@@ -29991,7 +29996,7 @@ index f758323..4bc077f 100644
  optional_policy(`
  	amavis_read_lib_files(clamd_t)
  	amavis_read_spool_files(clamd_t)
-@@ -142,13 +147,30 @@ optional_policy(`
+@@ -142,13 +147,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30011,6 +30016,7 @@ index f758323..4bc077f 100644
 +
 +optional_policy(`
 +	spamd_stream_connect(clamd_t)
++	spamd_read_pid(clamd_t)
 +')
 +
  tunable_policy(`clamd_use_jit',`
@@ -30023,7 +30029,7 @@ index f758323..4bc077f 100644
  ')
  
  ########################################
-@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
  
  # log files (own logfiles only)
  manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -30042,7 +30048,7 @@ index f758323..4bc077f 100644
  corenet_all_recvfrom_unlabeled(freshclam_t)
  corenet_all_recvfrom_netlabel(freshclam_t)
  corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
@@ -30050,7 +30056,7 @@ index f758323..4bc077f 100644
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t)
  
  clamav_stream_connect(freshclam_t)
  
@@ -30073,7 +30079,7 @@ index f758323..4bc077f 100644
  ########################################
  #
  # clamscam local policy
-@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
  manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -30103,7 +30109,7 @@ index f758323..4bc077f 100644
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t)
  
  clamav_stream_connect(clamscan_t)
  
@@ -31175,10 +31181,10 @@ index 0000000..40a0157
 +
 diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
 new file mode 100644
-index 0000000..e4d7098
+index 0000000..ca71d08
 --- /dev/null
 +++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
 +policy_module(collectd, 1.0.0)
 +
 +########################################
@@ -31252,17 +31258,32 @@ index 0000000..e4d7098
 +
 +optional_policy(`
 +	apache_content_template(collectd)
-+	
++
++	files_search_var_lib(httpd_collectd_script_t)	
 +	read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
 +	list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
 +	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
 +')
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..145a4eb 100644
+index 74505cc..246bbf9 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
-@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
+@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0)
+ # Declarations
+ #
+ 
++## <desc>
++##  <p>
++##  Allow colord domain to connect to the network using TCP.
++##  </p>
++## </desc>
++gen_tunable(colord_can_network_connect, false)
++
+ type colord_t;
+ type colord_exec_t;
+ dbus_system_domain(colord_t, colord_exec_t)
+@@ -23,9 +30,11 @@ files_type(colord_var_lib_t)
  # colord local policy
  #
  allow colord_t self:capability { dac_read_search dac_override };
@@ -31270,7 +31291,11 @@ index 74505cc..145a4eb 100644
  allow colord_t self:process signal;
  allow colord_t self:fifo_file rw_fifo_file_perms;
  allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -41,8 +42,13 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
++allow colord_t self:tcp_socket create_stream_socket_perms;
+ allow colord_t self:udp_socket create_socket_perms;
+ allow colord_t self:unix_dgram_socket create_socket_perms;
+ 
+@@ -41,8 +50,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
  manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
  files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
  
@@ -31282,10 +31307,11 @@ index 74505cc..145a4eb 100644
 +
 +# reads *.ini files
 +corecmd_exec_bin(colord_t)
++corecmd_exec_shell(colord_t)
  
  corenet_all_recvfrom_unlabeled(colord_t)
  corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +56,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +65,8 @@ corenet_udp_bind_generic_node(colord_t)
  corenet_udp_bind_ipp_port(colord_t)
  corenet_tcp_connect_ipp_port(colord_t)
  
@@ -31294,7 +31320,7 @@ index 74505cc..145a4eb 100644
  dev_read_video_dev(colord_t)
  dev_write_video_dev(colord_t)
  dev_rw_printer(colord_t)
-@@ -65,21 +73,24 @@ files_list_mnt(colord_t)
+@@ -65,19 +82,36 @@ files_list_mnt(colord_t)
  files_read_etc_files(colord_t)
  files_read_usr_files(colord_t)
  
@@ -31315,19 +31341,24 @@ index 74505cc..145a4eb 100644
 -sysnet_dns_name_resolve(colord_t)
 +fs_getattr_tmpfs(colord_t)
 +userdom_rw_user_tmpfs_files(colord_t)
- 
--tunable_policy(`use_nfs_home_dirs',`
--	fs_read_nfs_files(colord_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
--	fs_read_cifs_files(colord_t)
--')
++
 +userdom_home_reader(colord_t)
++
++tunable_policy(`colord_can_network_connect',`
++    corenet_tcp_connect_all_ports(colord_t)
++')
  
- optional_policy(`
- 	cups_read_config(colord_t)
-@@ -89,6 +100,12 @@ optional_policy(`
+ tunable_policy(`use_nfs_home_dirs',`
++	fs_getattr_nfs(colord_t)
+ 	fs_read_nfs_files(colord_t)
+ ')
+ 
+ tunable_policy(`use_samba_home_dirs',`
++	fs_getattr_cifs(colord_t)
+ 	fs_read_cifs_files(colord_t)
+ ')
+ 
+@@ -89,6 +123,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31340,7 +31371,7 @@ index 74505cc..145a4eb 100644
  	policykit_dbus_chat(colord_t)
  	policykit_domtrans_auth(colord_t)
  	policykit_read_lib(colord_t)
-@@ -96,5 +113,16 @@ optional_policy(`
+@@ -96,5 +136,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33674,7 +33705,7 @@ index c43ff4c..5da88b5 100644
  	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
-index 88e7e97..e18dc0b 100644
+index 88e7e97..1546703 100644
 --- a/policy/modules/services/cvs.te
 +++ b/policy/modules/services/cvs.te
 @@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
@@ -33704,7 +33735,16 @@ index 88e7e97..e18dc0b 100644
  
  manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
  manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
-@@ -112,4 +112,5 @@ optional_policy(`
+@@ -81,6 +81,8 @@ files_read_etc_runtime_files(cvs_t)
+ # for identd; cjp: this should probably only be inetd_child rules?
+ files_search_home(cvs_t)
+ 
++init_dontaudit_read_utmp(cvs_t)
++
+ logging_send_syslog_msg(cvs_t)
+ logging_send_audit_msgs(cvs_t)
+ 
+@@ -112,4 +114,5 @@ optional_policy(`
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -36415,7 +36455,7 @@ index 9bd812b..144cbb7 100644
 +	dnsmasq_systemctl($1)
  ')
 diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..8542225 100644
+index fdaeeba..b1ea136 100644
 --- a/policy/modules/services/dnsmasq.te
 +++ b/policy/modules/services/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -36428,7 +36468,7 @@ index fdaeeba..8542225 100644
  ########################################
  #
  # Local policy
-@@ -48,11 +51,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +51,14 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
  manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
  logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
  
@@ -36439,11 +36479,12 @@ index fdaeeba..8542225 100644
  
  kernel_read_kernel_sysctls(dnsmasq_t)
  kernel_read_system_state(dnsmasq_t)
++kernel_read_network_state(dnsmasq_t)
 +kernel_request_load_module(dnsmasq_t)
  
  corenet_all_recvfrom_unlabeled(dnsmasq_t)
  corenet_all_recvfrom_netlabel(dnsmasq_t)
-@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t)
+@@ -88,6 +94,8 @@ logging_send_syslog_msg(dnsmasq_t)
  
  miscfiles_read_localization(dnsmasq_t)
  
@@ -36452,7 +36493,7 @@ index fdaeeba..8542225 100644
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
-@@ -96,7 +103,20 @@ optional_policy(`
+@@ -96,7 +104,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36473,7 +36514,7 @@ index fdaeeba..8542225 100644
  ')
  
  optional_policy(`
-@@ -114,4 +134,5 @@ optional_policy(`
+@@ -114,4 +135,5 @@ optional_policy(`
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
  	virt_read_pid_files(dnsmasq_t)
@@ -43323,7 +43364,7 @@ index 67c7fdd..d7338be 100644
  ## <summary>
  ##	Execute mailman CGI scripts in the 
 diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..cea085e 100644
+index af4d572..0c0925e 100644
 --- a/policy/modules/services/mailman.te
 +++ b/policy/modules/services/mailman.te
 @@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
@@ -43336,7 +43377,7 @@ index af4d572..cea085e 100644
  mailman_domain_template(mail)
  init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
  
-@@ -61,14 +64,22 @@ optional_policy(`
+@@ -61,14 +64,24 @@ optional_policy(`
  # Mailman mail local policy
  #
  
@@ -43358,10 +43399,12 @@ index af4d572..cea085e 100644
 +corenet_tcp_connect_innd_port(mailman_mail_t)
 +corenet_tcp_connect_spamd_port(mailman_mail_t)
 +
++dev_read_urand(mailman_mail_t)
++
  files_search_spool(mailman_mail_t)
  
  fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,11 +92,16 @@ optional_policy(`
+@@ -81,11 +94,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43378,7 +43421,7 @@ index af4d572..cea085e 100644
  ')
  
  ########################################
-@@ -104,6 +120,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+@@ -104,6 +122,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
  
  kernel_read_proc_symlinks(mailman_queue_t)
  
@@ -43387,7 +43430,7 @@ index af4d572..cea085e 100644
  auth_domtrans_chk_passwd(mailman_queue_t)
  
  files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +143,4 @@ optional_policy(`
+@@ -125,4 +145,4 @@ optional_policy(`
  
  optional_policy(`
  	su_exec(mailman_queue_t)
@@ -53190,7 +53233,7 @@ index 2855a44..58bb459 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..fb500de 100644
+index 64c5f95..e237da7 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
 @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -53386,7 +53429,7 @@ index 64c5f95..fb500de 100644
  #
  
  allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +258,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +258,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
  allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
  allow puppetmaster_t self:socket create;
  allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -53419,13 +53462,14 @@ index 64c5f95..fb500de 100644
 +allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
  
  kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
++`kernel_read_network_state(puppetmaster_t)
  kernel_read_system_state(puppetmaster_t)
  kernel_read_crypto_sysctls(puppetmaster_t)
 +kernel_read_kernel_sysctls(puppetmaster_t)
  
  corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +299,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +300,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
  corenet_tcp_bind_puppet_port(puppetmaster_t)
  corenet_sendrecv_puppet_server_packets(puppetmaster_t)
  
@@ -53475,7 +53519,7 @@ index 64c5f95..fb500de 100644
  optional_policy(`
  	hostname_exec(puppetmaster_t)
  ')
-@@ -231,3 +349,9 @@ optional_policy(`
+@@ -231,3 +350,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -57937,7 +57981,7 @@ index 82cb169..48c023e 100644
 +	samba_systemctl($1)
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..d893f99 100644
+index e30bb63..bac0112 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -58253,7 +58297,22 @@ index e30bb63..d893f99 100644
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
  
-@@ -863,6 +888,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -850,10 +875,14 @@ domain_use_interactive_fds(winbind_t)
+ 
+ files_read_etc_files(winbind_t)
+ files_read_usr_symlinks(winbind_t)
++files_list_var_lib(winbind_t)
+ 
+ logging_send_syslog_msg(winbind_t)
+ 
+ miscfiles_read_localization(winbind_t)
++miscfiles_read_generic_certs(winbind_t)
++
++sysnet_use_ldap(winbind_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+ userdom_manage_user_home_content_dirs(winbind_t)
+@@ -863,6 +892,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
  userdom_manage_user_home_content_sockets(winbind_t)
  userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
  
@@ -58266,7 +58325,7 @@ index e30bb63..d893f99 100644
  optional_policy(`
  	kerberos_use(winbind_t)
  ')
-@@ -904,7 +935,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +939,7 @@ logging_send_syslog_msg(winbind_helper_t)
  
  miscfiles_read_localization(winbind_helper_t) 
  
@@ -58275,7 +58334,7 @@ index e30bb63..d893f99 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -922,6 +953,18 @@ optional_policy(`
+@@ -922,6 +957,18 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -58294,7 +58353,7 @@ index e30bb63..d893f99 100644
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -932,9 +975,12 @@ optional_policy(`
+@@ -932,9 +979,12 @@ optional_policy(`
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -58613,7 +58672,7 @@ index f1aea88..3e6a93f 100644
  	admin_pattern($1, saslauthd_var_run_t)
  ')
 diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index cfc60dd..791c5b3 100644
+index cfc60dd..71d76cf 100644
 --- a/policy/modules/services/sasl.te
 +++ b/policy/modules/services/sasl.te
 @@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -58650,7 +58709,15 @@ index cfc60dd..791c5b3 100644
  
  corenet_all_recvfrom_unlabeled(saslauthd_t)
  corenet_all_recvfrom_netlabel(saslauthd_t)
-@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
+ corenet_tcp_sendrecv_generic_node(saslauthd_t)
+ corenet_tcp_sendrecv_all_ports(saslauthd_t)
+ corenet_tcp_connect_pop_port(saslauthd_t)
++corenet_tcp_connect_zarafa_port(saslauthd_t)
+ corenet_sendrecv_pop_client_packets(saslauthd_t)
+ 
+ dev_read_urand(saslauthd_t)
+@@ -94,6 +95,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
  
  optional_policy(`
  	kerberos_keytab_template(saslauthd, saslauthd_t)
@@ -59663,7 +59730,7 @@ index 6b3abf9..a785741 100644
 +/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 +/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..85e8212 100644
+index c954f31..4aac595 100644
 --- a/policy/modules/services/spamassassin.if
 +++ b/policy/modules/services/spamassassin.if
 @@ -14,6 +14,7 @@
@@ -59782,7 +59849,7 @@ index c954f31..85e8212 100644
  	allow $1 spamd_tmp_t:file read_file_perms;
  ')
  
-@@ -223,5 +291,75 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -223,5 +291,94 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
  		type spamd_tmp_t;
  	')
  
@@ -59790,6 +59857,25 @@ index c954f31..85e8212 100644
 +	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 +')
 +
++#######################################
++## <summary>
++##  Read spamd pid file.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to connect.
++##  </summary>
++## </param>
++#
++interface(`spamd_read_pid',`
++    gen_require(`
++        type spamd_t, spamd_var_run_t;
++    ')
++
++    files_search_pids($1)
++    read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
++')
++
 +########################################
 +## <summary>
 +##	Connect to run spamd.
@@ -59860,7 +59946,7 @@ index c954f31..85e8212 100644
 +	admin_pattern($1, spamd_var_run_t)
  ')
 diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..fdb471a 100644
+index ec1eb1e..9d10f0b 100644
 --- a/policy/modules/services/spamassassin.te
 +++ b/policy/modules/services/spamassassin.te
 @@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -60280,7 +60366,15 @@ index ec1eb1e..fdb471a 100644
  ')
  
  optional_policy(`
-@@ -451,3 +531,51 @@ optional_policy(`
+@@ -444,6 +524,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	mta_send_mail(spamd_t)
+ 	sendmail_stub(spamd_t)
+ 	mta_read_config(spamd_t)
+ ')
+@@ -451,3 +532,51 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(spamd_t)
  ')
@@ -60448,21 +60542,22 @@ index 4b2230e..950e65a 100644
 +	kerberos_manage_host_rcache(squid_t)
 +')
 diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..2d60774 100644
+index 078bcd7..84d29ee 100644
 --- a/policy/modules/services/ssh.fc
 +++ b/policy/modules/services/ssh.fc
-@@ -1,4 +1,10 @@
+@@ -1,4 +1,11 @@
  HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +HOME_DIR/\.shosts			gen_context(system_u:object_r:ssh_home_t,s0)
 +
 +/var/lib/amanda/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/gitolite/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/gitolite/\.ssh(/.*)?	gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/nocpulse/\.ssh(/.*)?	gen_context(system_u:object_r:ssh_home_t,s0)
 +
 +/etc/rc\.d/init\.d/sshd        --  gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
  
  /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
  /etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +20,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -14,3 +21,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
  
  /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -73997,7 +74092,7 @@ index 8b5c196..da41726 100644
 +    role $2 types showmount_t;
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..b90b726 100644
+index 15832c7..a50ceba 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -17,17 +17,29 @@ type mount_exec_t;
@@ -74078,7 +74173,7 @@ index 15832c7..b90b726 100644
  kernel_dontaudit_write_debugfs_dirs(mount_t)
  kernel_dontaudit_write_proc_dirs(mount_t)
  # To load binfmt_misc kernel module
-@@ -57,65 +92,93 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +92,94 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -74087,6 +74182,7 @@ index 15832c7..b90b726 100644
  dev_list_all_dev_nodes(mount_t)
 +dev_read_usbfs(mount_t)
 +dev_read_rand(mount_t)
++dev_read_urand(mount_t)
  dev_read_sysfs(mount_t)
  dev_dontaudit_write_sysfs_dirs(mount_t)
  dev_rw_lvm_control(mount_t)
@@ -74181,7 +74277,7 @@ index 15832c7..b90b726 100644
  
  logging_send_syslog_msg(mount_t)
  
-@@ -126,6 +189,8 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +190,8 @@ sysnet_use_portmap(mount_t)
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
@@ -74190,7 +74286,7 @@ index 15832c7..b90b726 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +207,28 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -74229,7 +74325,7 @@ index 15832c7..b90b726 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +241,8 @@ optional_policy(`
+@@ -174,6 +242,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -74238,7 +74334,7 @@ index 15832c7..b90b726 100644
  ')
  
  optional_policy(`
-@@ -181,6 +250,28 @@ optional_policy(`
+@@ -181,6 +251,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -74267,7 +74363,7 @@ index 15832c7..b90b726 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +279,87 @@ optional_policy(`
+@@ -188,21 +280,87 @@ optional_policy(`
  	')
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cdb778b..308544c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 59%{?dist}
+Release: 61%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz