diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index bdae1d1..1568f3c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1052,10 +1052,17 @@ index 4705ab6..b82865c 100644
+## </desc>
+gen_tunable(mount_anyfile, false)
diff --git a/policy/mcs b/policy/mcs
-index 216b3d1..78e56ed 100644
+index 216b3d1..064ec83 100644
--- a/policy/mcs
+++ b/policy/mcs
-@@ -69,53 +69,56 @@ gen_levels(1,mcs_num_cats)
+@@ -1,4 +1,6 @@
+ ifdef(`enable_mcs',`
++default_range dir_file_class_set target low;
++
+ #
+ # Define sensitivities
+ #
+@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
@@ -1132,7 +1139,7 @@ index 216b3d1..78e56ed 100644
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-@@ -135,6 +138,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
+@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
mlsconstrain { db_tuple } { insert relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -1142,7 +1149,7 @@ index 216b3d1..78e56ed 100644
# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
-@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -42578,7 +42585,7 @@ index 2cea692..57c9025 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..77ee719 100644
+index a392fc4..bf8b888 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -42720,13 +42727,14 @@ index a392fc4..77ee719 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -161,7 +185,14 @@ ifdef(`distro_ubuntu',`
+@@ -161,7 +185,15 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
- consoletype_run(dhcpc_t, dhcpc_roles)
+ chronyd_initrc_domtrans(dhcpc_t)
+ chronyd_systemctl(dhcpc_t)
++ chronyd_domtrans(dhcpc_t)
+ chronyd_read_keys(dhcpc_t)
+')
+
@@ -42736,7 +42744,7 @@ index a392fc4..77ee719 100644
')
optional_policy(`
-@@ -179,10 +210,6 @@ optional_policy(`
+@@ -179,10 +211,6 @@ optional_policy(`
')
optional_policy(`
@@ -42747,7 +42755,7 @@ index a392fc4..77ee719 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -195,23 +222,31 @@ optional_policy(`
+@@ -195,23 +223,31 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -42782,7 +42790,7 @@ index a392fc4..77ee719 100644
')
optional_policy(`
-@@ -221,7 +256,11 @@ optional_policy(`
+@@ -221,7 +257,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -42795,7 +42803,7 @@ index a392fc4..77ee719 100644
')
optional_policy(`
-@@ -233,6 +272,10 @@ optional_policy(`
+@@ -233,6 +273,10 @@ optional_policy(`
')
optional_policy(`
@@ -42806,7 +42814,7 @@ index a392fc4..77ee719 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +308,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -42831,7 +42839,7 @@ index a392fc4..77ee719 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -279,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +335,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -42864,7 +42872,7 @@ index a392fc4..77ee719 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +373,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -42922,7 +42930,7 @@ index a392fc4..77ee719 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +427,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +428,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -42935,7 +42943,7 @@ index a392fc4..77ee719 100644
')
optional_policy(`
-@@ -350,7 +445,16 @@ optional_policy(`
+@@ -350,7 +446,16 @@ optional_policy(`
')
optional_policy(`
@@ -42953,7 +42961,7 @@ index a392fc4..77ee719 100644
')
optional_policy(`
-@@ -371,3 +475,13 @@ optional_policy(`
+@@ -371,3 +476,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6fecdc7..36bbc41 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -11947,7 +11947,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..fc5b086 100644
+index 550b287..943af3b 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -12036,7 +12036,7 @@ index 550b287..fc5b086 100644
')
optional_policy(`
-@@ -92,11 +109,57 @@ optional_policy(`
+@@ -92,11 +109,58 @@ optional_policy(`
')
optional_policy(`
@@ -12050,6 +12050,7 @@ index 550b287..fc5b086 100644
+optional_policy(`
+ ipa_manage_lib(certmonger_t)
+ ipa_manage_pid_files(certmonger_t)
++ ipa_filetrans_pid(certmonger_t,"renewal.lock")
+')
+
+optional_policy(`
@@ -37061,10 +37062,10 @@ index 0000000..db194ec
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..71bde7d
+index 0000000..904782d
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,178 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -37220,6 +37221,29 @@ index 0000000..71bde7d
+ manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
+')
+
++########################################
++## <summary>
++## Create specified objects in generic
++## pid directories with the ipa pid file type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`ipa_filetrans_pid',`
++ gen_require(`
++ type ipa_var_run_t;
++ ')
++
++ files_pid_filetrans($1, ipa_var_run_t, file, $2)
++')
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000..694c092
@@ -66020,10 +66044,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..684f7b0
+index 0000000..5b5747f
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,260 @@
+@@ -0,0 +1,264 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -66217,6 +66241,10 @@ index 0000000..684f7b0
+# pcp_pmwebd local policy
+#
+
++kernel_read_system_state(pcp_pmwebd_t)
++
++corecmd_exec_shell(pcp_pmwebd_t)
++
+corenet_tcp_bind_generic_node(pcp_pmwebd_t)
+
+optional_policy(`
@@ -83184,10 +83212,10 @@ index c8a1e16..2d409bf 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..eb08783 100644
+index 47de2d6..9ecda11 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,93 @@
+@@ -1,31 +1,95 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -83277,6 +83305,8 @@ index 47de2d6..eb08783 100644
+
+/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
++/usr/share/cluster/fence_scsi_check.* -- gen_context(system_u:object_r:fenced_exec_t,s0)
++
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
@@ -84152,7 +84182,7 @@ index c8bdea2..29df561 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..448a0c5 100644
+index 6cf79c4..9d253c3 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -84582,24 +84612,26 @@ index 6cf79c4..448a0c5 100644
')
optional_policy(`
-@@ -190,12 +484,13 @@ optional_policy(`
+@@ -190,12 +484,17 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_home_content(fenced_t)
-+ lvm_domtrans(fenced_t)
-+ lvm_read_config(fenced_t)
-+ lvm_stream_connect(fenced_t)
++ libs_exec_ldconfig(fenced_t)
')
optional_policy(`
-- lvm_domtrans(fenced_t)
-- lvm_read_config(fenced_t)
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
++ lvm_stream_connect(fenced_t)
++')
++
++optional_policy(`
+ sanlock_domtrans(fenced_t)
')
optional_policy(`
-@@ -203,6 +498,13 @@ optional_policy(`
+@@ -203,6 +502,17 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -84610,10 +84642,14 @@ index 6cf79c4..448a0c5 100644
+ virt_stream_connect(fenced_t)
+')
+
++optional_policy(`
++ watchdog_unconfined_exec_read_lnk_files(fenced_t)
++')
++
#######################################
#
# foghorn local policy
-@@ -221,16 +523,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +531,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -84634,7 +84670,7 @@ index 6cf79c4..448a0c5 100644
snmp_stream_connect(foghorn_t)
')
-@@ -247,16 +551,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +559,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -84656,7 +84692,7 @@ index 6cf79c4..448a0c5 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +583,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +591,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -84716,7 +84752,7 @@ index 6cf79c4..448a0c5 100644
######################################
#
# qdiskd local policy
-@@ -292,7 +647,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +655,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
@@ -84724,7 +84760,7 @@ index 6cf79c4..448a0c5 100644
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
-@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +683,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -112151,11 +112187,37 @@ index eecd0e0..8df2e8c 100644
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
+diff --git a/watchdog.if b/watchdog.if
+index 6461a77..146852e 100644
+--- a/watchdog.if
++++ b/watchdog.if
+@@ -37,3 +37,21 @@ interface(`watchdog_admin',`
+ files_search_pids($1)
+ admin_pattern($1, watchdog_var_run_t)
+ ')
++
++#######################################
++## <summary>
++## Allow read watchdog_unconfined_t lnk files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`watchdog_unconfined_exec_read_lnk_files',`
++ gen_require(`
++ type watchdog_unconfined_exec_t;
++ ')
++
++ allow $1 watchdog_unconfined_exec_t:lnk_file read_lnk_file_perms;
++')
diff --git a/watchdog.te b/watchdog.te
-index 3548317..a6d1675 100644
+index 3548317..fc3da17 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+@@ -12,34 +12,47 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
@@ -112183,12 +112245,12 @@ index 3548317..a6d1675 100644
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
+allow watchdog_t self:rawip_socket create_socket_perms;
-+
-+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
-+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
++manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
++manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
++
+manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
@@ -112200,7 +112262,13 @@ index 3548317..a6d1675 100644
kernel_read_system_state(watchdog_t)
kernel_read_kernel_sysctls(watchdog_t)
kernel_unmount_proc(watchdog_t)
-@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t)
+
+ corecmd_exec_shell(watchdog_t)
++corecmd_exec_bin(watchdog_t)
+
+ corenet_all_recvfrom_unlabeled(watchdog_t)
+ corenet_all_recvfrom_netlabel(watchdog_t)
+@@ -63,7 +76,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -112208,7 +112276,7 @@ index 3548317..a6d1675 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -72,17 +83,20 @@ fs_getattr_all_fs(watchdog_t)
+@@ -72,17 +84,20 @@ fs_getattr_all_fs(watchdog_t)
fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
@@ -112231,11 +112299,25 @@ index 3548317..a6d1675 100644
mta_send_mail(watchdog_t)
')
-@@ -97,3 +111,28 @@ optional_policy(`
+@@ -91,9 +106,42 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rhcs_domtrans_fenced(watchdog_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(watchdog_t)
+ ')
+
optional_policy(`
udev_read_db(watchdog_t)
')
+
++optional_policy(`
++ watchdog_unconfined_exec_read_lnk_files(watchdog_t)
++')
++
+########################################
+#
+# watchdog_unconfined_script_t local policy
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 80ee139..43d45ea 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 144%{?dist}
+Release: 145%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,15 @@ exit 0
%endif
%changelog
+* Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
+- Allow watchdog execute fenced python script.
+- Added inferface watchdog_unconfined_exec_read_lnk_files()
+- Allow pmweb daemon to exec shell. BZ(1256127)
+- Allow pmweb daemon to read system state. BZ(#1256128)
+- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t.
+- Revert "Revert default_range change in targeted policy"
+- Allow dhcpc_t domain transition to chronyd_t
+
* Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)