diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fac149d..da6f779 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8721,7 +8721,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..2b917b5 100644
+index cf04cb5..5a40b38 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8858,7 +8858,7 @@ index cf04cb5..2b917b5 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,297 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -9027,6 +9027,7 @@ index cf04cb5..2b917b5 100644
 +	systemd_login_reboot(unconfined_domain_type)
 +	systemd_login_halt(unconfined_domain_type)
 +	systemd_login_undefined(unconfined_domain_type)
++	systemd_filetrans_named_content(named_filetrans_domain)
 +	systemd_filetrans_named_hostname(named_filetrans_domain)
 +')
 +
@@ -22814,7 +22815,7 @@ index 6bf0ecc..9b46e11 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..93b05fa 100644
+index 2696452..adbe339 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -23179,7 +23180,7 @@ index 2696452..93b05fa 100644
 +	allow xdm_t self:process ptrace;
 +')
 +
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition };
  allow xdm_t self:fifo_file rw_fifo_file_perms;
  allow xdm_t self:shm create_shm_perms;
  allow xdm_t self:sem create_sem_perms;
@@ -27633,7 +27634,7 @@ index 24e7804..c4155c7 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..df6af48 100644
+index dd3be8d..b717a9e 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,24 @@ gen_require(`
@@ -27681,7 +27682,7 @@ index dd3be8d..df6af48 100644
  
  # Mark file type as a daemon run directory
  attribute daemonrundir;
-@@ -35,12 +57,13 @@ attribute daemonrundir;
+@@ -35,12 +57,14 @@ attribute daemonrundir;
  #
  # init_t is the domain of the init process.
  #
@@ -27690,13 +27691,14 @@ index dd3be8d..df6af48 100644
  type init_exec_t;
  domain_type(init_t)
  domain_entry_file(init_t, init_exec_t)
++domain_role_change_exemption(init_t)
  kernel_domtrans_to(init_t, init_exec_t)
  role system_r types init_t;
 +init_initrc_domain(init_t)
  
  #
  # init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +72,15 @@ type init_var_run_t;
+@@ -49,6 +73,15 @@ type init_var_run_t;
  files_pid_file(init_var_run_t)
  
  #
@@ -27712,7 +27714,7 @@ index dd3be8d..df6af48 100644
  # initctl_t is the type of the named pipe created
  # by init during initialization.  This pipe is used
  # to communicate with init.
-@@ -57,7 +89,7 @@ type initctl_t;
+@@ -57,7 +90,7 @@ type initctl_t;
  files_type(initctl_t)
  mls_trusted_object(initctl_t)
  
@@ -27721,7 +27723,7 @@ index dd3be8d..df6af48 100644
  type initrc_exec_t, init_script_file_type;
  domain_type(initrc_t)
  domain_entry_file(initrc_t, initrc_exec_t)
-@@ -66,6 +98,8 @@ role system_r types initrc_t;
+@@ -66,6 +99,8 @@ role system_r types initrc_t;
  # of the below init_upstart tunable
  # but this has a typeattribute in it
  corecmd_shell_entry_type(initrc_t)
@@ -27730,7 +27732,7 @@ index dd3be8d..df6af48 100644
  
  type initrc_devpts_t;
  term_pty(initrc_devpts_t)
-@@ -98,7 +132,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +133,8 @@ ifdef(`enable_mls',`
  #
  
  # Use capabilities. old rule:
@@ -27740,7 +27742,7 @@ index dd3be8d..df6af48 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +146,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
  
  # Re-exec itself
  can_exec(init_t, init_exec_t)
@@ -27780,7 +27782,7 @@ index dd3be8d..df6af48 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +182,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -27799,7 +27801,7 @@ index dd3be8d..df6af48 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -27820,7 +27822,7 @@ index dd3be8d..df6af48 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +223,49 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -27873,7 +27875,7 @@ index dd3be8d..df6af48 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +274,182 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -28064,7 +28066,7 @@ index dd3be8d..df6af48 100644
  ')
  
  optional_policy(`
-@@ -216,7 +456,29 @@ optional_policy(`
+@@ -216,7 +457,29 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28094,7 +28096,7 @@ index dd3be8d..df6af48 100644
  ')
  
  ########################################
-@@ -225,8 +487,9 @@ optional_policy(`
+@@ -225,8 +488,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28106,7 +28108,7 @@ index dd3be8d..df6af48 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +520,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +521,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28123,7 +28125,7 @@ index dd3be8d..df6af48 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +545,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -28166,7 +28168,7 @@ index dd3be8d..df6af48 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +582,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +583,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -28178,7 +28180,7 @@ index dd3be8d..df6af48 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +594,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +595,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -28189,7 +28191,7 @@ index dd3be8d..df6af48 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +605,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +606,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -28199,7 +28201,7 @@ index dd3be8d..df6af48 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +614,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +615,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -28207,7 +28209,7 @@ index dd3be8d..df6af48 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +621,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28215,7 +28217,7 @@ index dd3be8d..df6af48 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +629,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +630,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -28233,7 +28235,7 @@ index dd3be8d..df6af48 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +647,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +648,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -28247,7 +28249,7 @@ index dd3be8d..df6af48 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +662,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +663,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -28261,7 +28263,7 @@ index dd3be8d..df6af48 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +675,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +676,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -28269,7 +28271,7 @@ index dd3be8d..df6af48 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +687,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +688,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -28277,7 +28279,7 @@ index dd3be8d..df6af48 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +706,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +707,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -28301,7 +28303,7 @@ index dd3be8d..df6af48 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +739,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +740,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -28309,7 +28311,7 @@ index dd3be8d..df6af48 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +773,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +774,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -28320,7 +28322,7 @@ index dd3be8d..df6af48 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +797,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +798,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -28329,7 +28331,7 @@ index dd3be8d..df6af48 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +812,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +813,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -28337,7 +28339,7 @@ index dd3be8d..df6af48 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +833,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +834,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -28345,7 +28347,7 @@ index dd3be8d..df6af48 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +843,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +844,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -28390,7 +28392,7 @@ index dd3be8d..df6af48 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +888,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +889,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -28422,7 +28424,7 @@ index dd3be8d..df6af48 100644
  	')
  ')
  
-@@ -576,6 +923,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +924,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -28462,7 +28464,7 @@ index dd3be8d..df6af48 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +968,8 @@ optional_policy(`
+@@ -588,6 +969,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -28471,7 +28473,7 @@ index dd3be8d..df6af48 100644
  ')
  
  optional_policy(`
-@@ -609,6 +991,7 @@ optional_policy(`
+@@ -609,6 +992,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -28479,7 +28481,7 @@ index dd3be8d..df6af48 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1008,17 @@ optional_policy(`
+@@ -625,6 +1009,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28497,7 +28499,7 @@ index dd3be8d..df6af48 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1035,13 @@ optional_policy(`
+@@ -641,9 +1036,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -28511,7 +28513,7 @@ index dd3be8d..df6af48 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1054,11 @@ optional_policy(`
+@@ -656,15 +1055,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28529,7 +28531,7 @@ index dd3be8d..df6af48 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1079,15 @@ optional_policy(`
+@@ -685,6 +1080,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28545,7 +28547,7 @@ index dd3be8d..df6af48 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1128,7 @@ optional_policy(`
+@@ -725,6 +1129,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -28553,7 +28555,7 @@ index dd3be8d..df6af48 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1146,13 @@ optional_policy(`
+@@ -742,7 +1147,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28568,7 +28570,7 @@ index dd3be8d..df6af48 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1175,10 @@ optional_policy(`
+@@ -765,6 +1176,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28579,7 +28581,7 @@ index dd3be8d..df6af48 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1188,20 @@ optional_policy(`
+@@ -774,10 +1189,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28600,7 +28602,7 @@ index dd3be8d..df6af48 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1210,10 @@ optional_policy(`
+@@ -786,6 +1211,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28611,7 +28613,7 @@ index dd3be8d..df6af48 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1235,6 @@ optional_policy(`
+@@ -807,8 +1236,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -28620,7 +28622,7 @@ index dd3be8d..df6af48 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1243,10 @@ optional_policy(`
+@@ -817,6 +1244,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28631,7 +28633,7 @@ index dd3be8d..df6af48 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1256,12 @@ optional_policy(`
+@@ -826,10 +1257,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -28644,7 +28646,7 @@ index dd3be8d..df6af48 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1288,28 @@ optional_policy(`
+@@ -856,12 +1289,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28674,7 +28676,7 @@ index dd3be8d..df6af48 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1319,18 @@ optional_policy(`
+@@ -871,6 +1320,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -28693,7 +28695,7 @@ index dd3be8d..df6af48 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1346,10 @@ optional_policy(`
+@@ -886,6 +1347,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28704,7 +28706,7 @@ index dd3be8d..df6af48 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1360,196 @@ optional_policy(`
+@@ -896,3 +1361,196 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29489,7 +29491,7 @@ index c42fbc3..174cfdb 100644
  ## <summary>
  ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..4abf7fd 100644
+index 5dfa44b..cafb28e 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -29600,8 +29602,8 @@ index 5dfa44b..4abf7fd 100644
 +')
 +
 +optional_policy(`
-+    quantum_rw_inherited_pipes(iptables_t)
-+    quantum_sigchld(iptables_t)
++    neutron_rw_inherited_pipes(iptables_t)
++    neutron_sigchld(iptables_t)
  ')
  
  optional_policy(`
@@ -33463,7 +33465,7 @@ index d43f3b1..870bc36 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..9fcc183 100644
+index 3822072..270bde3 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
 @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -33869,7 +33871,7 @@ index 3822072..9fcc183 100644
  ##	Execute semanage in the semanage domain, and
  ##	allow the specified role the semanage domain,
  ##	and use the caller's terminal.
-@@ -1017,11 +1310,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',`
  #
  interface(`seutil_run_semanage',`
  	gen_require(`
@@ -33935,12 +33937,15 @@ index 3822072..9fcc183 100644
 +	files_search_etc($1)
 +	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
 +	read_files_pattern($1, semanage_store_t, semanage_store_t)
++	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
  ')
  
  ########################################
-@@ -1044,6 +1392,9 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',`
+ 	files_search_etc($1)
  	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
  	manage_files_pattern($1, semanage_store_t, semanage_store_t)
++	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
  	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 +	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
 +	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
@@ -33948,7 +33953,7 @@ index 3822072..9fcc183 100644
  ')
  
  #######################################
-@@ -1137,3 +1488,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
@@ -39056,7 +39061,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..fc2fb65 100644
+index 3c5dba7..c4bc032 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -41746,7 +41751,7 @@ index 3c5dba7..fc2fb65 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4227,1518 @@ interface(`userdom_create_all_users_keys',`
  ##	</summary>
  ## </param>
  #
@@ -42659,6 +42664,8 @@ index 3c5dba7..fc2fb65 100644
 +
 +	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
 +	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++	userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++	userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert")
 +')
 +
 +#######################################
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 04f1130..4595712 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2682,10 +2682,10 @@ index 0000000..df5b3be
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..0c9dc73
+index 0000000..e10fe0d
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,261 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@@ -2783,14 +2783,12 @@ index 0000000..0c9dc73
 +
 +can_exec(antivirus_domain, antivirus_exec_t)
 +
++kernel_read_network_state(antivirus_t)
 +kernel_read_net_sysctls(antivirus_t)
 +kernel_read_kernel_sysctls(antivirus_domain)
 +kernel_read_sysctl(antivirus_domain)
 +kernel_read_system_state(antivirus_t)
 +
-+kernel_dontaudit_list_proc(antivirus_domain)
-+kernel_dontaudit_read_proc_symlinks(antivirus_domain)
-+
 +corecmd_exec_bin(antivirus_domain)
 +corecmd_exec_shell(antivirus_domain)
 +
@@ -2827,6 +2825,10 @@ index 0000000..0c9dc73
 +corenet_tcp_connect_http_port(antivirus_domain)
 +corenet_tcp_sendrecv_http_port(antivirus_domain)
 +
++corenet_sendrecv_http_cache_client_packets(antivirus_domain)
++corenet_tcp_connect_http_cache_port(antivirus_domain)
++corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
++
 +corenet_sendrecv_snmp_client_packets(antivirus_domain)
 +corenet_tcp_connect_snmp_port(antivirus_domain)
 +
@@ -2851,6 +2853,7 @@ index 0000000..0c9dc73
 +init_read_state(antivirus_domain)
 +init_read_utmp(antivirus_domain)
 +init_stream_connect_script(antivirus_domain)
++init_dontaudit_write_utmp(antivirus_domain)
 +
 +logging_send_syslog_msg(antivirus_t)
 +
@@ -2858,6 +2861,7 @@ index 0000000..0c9dc73
 +
 +sysnet_use_ldap(antivirus_domain)
 +
++userdom_stream_connect(antivirus_domain)
 +userdom_dontaudit_search_user_home_dirs(antivirus_domain)
 +
 +tunable_policy(`antivirus_can_scan_system',`
@@ -9204,10 +9208,10 @@ index 02fefaa..fbcef10 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..6b6cd51 100644
+index 7c92aa1..47619ff 100644
 --- a/boinc.te
 +++ b/boinc.te
-@@ -1,11 +1,13 @@
+@@ -1,11 +1,20 @@
 -policy_module(boinc, 1.0.3)
 +policy_module(boinc, 1.0.0)
  
@@ -9217,13 +9221,20 @@ index 7c92aa1..6b6cd51 100644
  #
  
 -type boinc_t;
++## <desc>
++##	<p>
++##	Allow boinc_domain execmem/execstack.
++##	</p>
++## </desc>
++gen_tunable(boinc_execmem, true)
++
 +attribute boinc_domain;
 +
 +type boinc_t, boinc_domain;
  type boinc_exec_t;
  init_daemon_domain(boinc_t, boinc_exec_t)
  
-@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
  type boinc_var_lib_t;
  files_type(boinc_var_lib_t)
  
@@ -9255,7 +9266,6 @@ index 7c92aa1..6b6cd51 100644
 +allow boinc_domain self:fifo_file rw_fifo_file_perms;
 +allow boinc_domain self:process signal;
 +allow boinc_domain self:sem create_sem_perms;
-+allow boinc_domain self:process execmem;
 +
 +manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
 +manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
@@ -9277,6 +9287,10 @@ index 7c92aa1..6b6cd51 100644
 +
 +miscfiles_read_fonts(boinc_domain)
 +
++tunable_policy(`boinc_execmem',`
++    allow boinc_domain self:process { execstack execmem };
++')
++
 +optional_policy(`
 +	sysnet_dns_name_resolve(boinc_domain)
 +')
@@ -9299,7 +9313,7 @@ index 7c92aa1..6b6cd51 100644
  
  manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
  manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
  manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
  fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
  
@@ -9396,7 +9410,7 @@ index 7c92aa1..6b6cd51 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +141,67 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
@@ -11811,10 +11825,10 @@ index 0000000..8ac848b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..a56e579
+index 0000000..0f133be
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,297 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -11919,6 +11933,8 @@ index 0000000..a56e579
 +corecmd_exec_bin(cloud_init_t)
 +corecmd_exec_shell(cloud_init_t)
 +
++domain_read_all_domains_state(cloud_init_t)
++
 +fs_getattr_all_fs(cloud_init_t)
 +
 +storage_raw_read_fixed_disk(cloud_init_t)
@@ -11978,7 +11994,6 @@ index 0000000..a56e579
 +    unconfined_domain(cloud_init_t)
 +')
 +
-+
 +########################################
 +#
 +# deltacloudd local policy
@@ -13908,7 +13923,7 @@ index c086302..4f33119 100644
  
  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 diff --git a/couchdb.if b/couchdb.if
-index 83d6744..b934cb7 100644
+index 83d6744..afa2f78 100644
 --- a/couchdb.if
 +++ b/couchdb.if
 @@ -2,6 +2,44 @@
@@ -13956,7 +13971,7 @@ index 83d6744..b934cb7 100644
  ##	All of the rules required to
  ##	administrate an couchdb environment.
  ## </summary>
-@@ -10,6 +48,108 @@
+@@ -10,6 +48,127 @@
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -14027,6 +14042,25 @@ index 83d6744..b934cb7 100644
 +	allow $1 couchdb_var_run_t:file read_file_perms;
 +')
 +
++#######################################
++## <summary>
++##      Search couchdb PID dirs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`couchdb_search_pid_dirs',`
++        gen_require(`
++                type couchdb_var_run_t;
++        ')
++
++        files_search_pids($1)
++        allow $1 couchdb_var_run_t:dir search_dir_perms;
++')
++
 +########################################
 +## <summary>
 +##	Execute couchdb server in the couchdb domain.
@@ -14065,7 +14099,7 @@ index 83d6744..b934cb7 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -19,14 +159,19 @@
+@@ -19,14 +178,19 @@
  #
  interface(`couchdb_admin',`
  	gen_require(`
@@ -14086,7 +14120,7 @@ index 83d6744..b934cb7 100644
  	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +191,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
  
  	files_search_pids($1)
  	admin_pattern($1, couchdb_var_run_t)
@@ -21464,7 +21498,7 @@ index 19aa0b8..1e8b244 100644
 +	allow $1 dnsmasq_unit_file_t:service all_service_perms;
  ')
 diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..0a3179c 100644
+index ba14bcf..a3e6c7c 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21538,10 +21572,10 @@ index ba14bcf..0a3179c 100644
  ')
 +
 +optional_policy(`
-+    quantum_manage_lib_files(dnsmasq_t)
-+    quantum_stream_connect(dnsmasq_t)
-+    quantum_rw_fifo_file(dnsmasq_t)
-+    quantum_sigchld(dnsmasq_t)
++    neutron_manage_lib_files(dnsmasq_t)
++    neutron_stream_connect(dnsmasq_t)
++    neutron_rw_fifo_file(dnsmasq_t)
++    neutron_sigchld(dnsmasq_t)
 +')
 diff --git a/dnssec.fc b/dnssec.fc
 new file mode 100644
@@ -23943,7 +23977,7 @@ index 5cf6ac6..0fc685b 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index c8014f8..2888d51 100644
+index c8014f8..bacc80c 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -24024,7 +24058,7 @@ index c8014f8..2888d51 100644
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,6 +102,10 @@ optional_policy(`
+@@ -85,9 +102,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24035,6 +24069,13 @@ index c8014f8..2888d51 100644
  	iptables_domtrans(firewalld_t)
  ')
  
+ optional_policy(`
+ 	modutils_domtrans_insmod(firewalld_t)
+ ')
++
++optional_policy(`
++    NetworkManager_read_state(firewalld_t)
++')
 diff --git a/firewallgui.if b/firewallgui.if
 index e6866d1..941f4ef 100644
 --- a/firewallgui.if
@@ -29981,7 +30022,7 @@ index fbb54e7..05c3777 100644
  
  ########################################
 diff --git a/inetd.te b/inetd.te
-index 1a5ed62..9762e4a 100644
+index 1a5ed62..420305b 100644
 --- a/inetd.te
 +++ b/inetd.te
 @@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -29996,7 +30037,15 @@ index 1a5ed62..9762e4a 100644
  allow inetd_t self:fifo_file rw_fifo_file_perms;
  allow inetd_t self:tcp_socket { accept listen };
  allow inetd_t self:fd use;
-@@ -98,6 +98,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
+@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
+ kernel_tcp_recvfrom_unlabeled(inetd_t)
+ 
+ corecmd_bin_domtrans(inetd_t, inetd_child_t)
++corecmd_exec_shell(inetd_t)
+ 
+ corenet_all_recvfrom_unlabeled(inetd_t)
+ corenet_all_recvfrom_netlabel(inetd_t)
+@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
  corenet_tcp_bind_inetd_child_port(inetd_t)
  corenet_udp_bind_inetd_child_port(inetd_t)
  
@@ -30008,7 +30057,7 @@ index 1a5ed62..9762e4a 100644
  corenet_sendrecv_ircd_server_packets(inetd_t)
  corenet_tcp_bind_ircd_port(inetd_t)
  
-@@ -157,8 +162,6 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t)
  
  logging_send_syslog_msg(inetd_t)
  
@@ -30017,7 +30066,7 @@ index 1a5ed62..9762e4a 100644
  mls_fd_share_all_levels(inetd_t)
  mls_socket_read_to_clearance(inetd_t)
  mls_socket_write_to_clearance(inetd_t)
-@@ -188,7 +191,7 @@ optional_policy(`
+@@ -188,7 +192,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30026,7 +30075,7 @@ index 1a5ed62..9762e4a 100644
  ')
  
  optional_policy(`
-@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
  kernel_read_network_state(inetd_child_t)
  kernel_read_system_state(inetd_child_t)
  
@@ -30041,7 +30090,7 @@ index 1a5ed62..9762e4a 100644
  dev_read_urand(inetd_child_t)
  
  fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t)
  
  logging_send_syslog_msg(inetd_child_t)
  
@@ -37776,7 +37825,7 @@ index 1d4eb19..650014e 100644
  	admin_pattern($1, memcached_var_run_t)
  ')
 diff --git a/memcached.te b/memcached.te
-index 4926208..018a640 100644
+index 4926208..4396320 100644
 --- a/memcached.te
 +++ b/memcached.te
 @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
@@ -37788,7 +37837,15 @@ index 4926208..018a640 100644
  dontaudit memcached_t self:capability sys_tty_config;
  allow memcached_t self:process { setrlimit signal_perms };
  allow memcached_t self:tcp_socket { accept listen };
-@@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t)
+ corenet_udp_bind_memcache_port(memcached_t)
+ corenet_udp_sendrecv_all_ports(memcached_t)
+ 
++dev_read_sysfs(memcached_t)
++
+ term_dontaudit_use_all_ptys(memcached_t)
+ term_dontaudit_use_all_ttys(memcached_t)
+ term_dontaudit_use_console(memcached_t)
  
  auth_use_nsswitch(memcached_t)
  
@@ -45611,7 +45668,7 @@ index a1fb3c3..82f8ae6 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..0b68b86 100644
+index 0e8508c..f8893f8 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
 @@ -2,7 +2,7 @@
@@ -45697,14 +45754,42 @@ index 0e8508c..0b68b86 100644
  ## <summary>
 -##	Execute networkmanager scripts with
 -##	an automatic domain transition to initrc.
-+##	Execute NetworkManager scripts with an automatic domain transition to initrc.
++##	Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -114,8 +116,31 @@ interface(`networkmanager_initrc_domtrans',`
- 
- ########################################
- ## <summary>
+@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
+ ##	</summary>
+ ## </param>
+ #
++interface(`networkmanager_NetworkManagerrc_domtrans',`
++	gen_require(`
++		type NetworkManager_NetworkManagerrc_exec_t;
++	')
++
++	NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
++')
++
++#######################################
++## <summary>
++##      Execute NetworkManager scripts with an automatic domain transition to initrc.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed to transition.
++##      </summary>
++## </param>
++#
+ interface(`networkmanager_initrc_domtrans',`
++        gen_require(`
++                type NetworkManager_initrc_exec_t;
++        ')
++
++        init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
++')
++
++########################################
++## <summary>
 +##	Execute NetworkManager server in the NetworkManager domain.
 +## </summary>
 +## <param name="domain">
@@ -45714,27 +45799,29 @@ index 0e8508c..0b68b86 100644
 +## </param>
 +#
 +interface(`networkmanager_systemctl',`
-+	gen_require(`
+ 	gen_require(`
+-		type NetworkManager_initrc_exec_t;
 +		type NetworkManager_unit_file_t;
 +		type NetworkManager_t;
-+	')
-+
+ 	')
+ 
+-	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
 +	systemd_exec_systemctl($1)
 +	allow $1 NetworkManager_unit_file_t:file read_file_perms;
 +	allow $1 NetworkManager_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, NetworkManager_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
  ##	Send and receive messages from
 -##	networkmanager over dbus.
 +##	NetworkManager over dbus.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -45765,7 +45852,7 @@ index 0e8508c..0b68b86 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
  
  ########################################
  ## <summary>
@@ -45774,7 +45861,7 @@ index 0e8508c..0b68b86 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
  	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
  ')
  
@@ -45804,7 +45891,7 @@ index 0e8508c..0b68b86 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -45829,7 +45916,7 @@ index 0e8508c..0b68b86 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -201,23 +266,23 @@ interface(`networkmanager_append_log_files',`
+@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -45858,7 +45945,7 @@ index 0e8508c..0b68b86 100644
  ##	</summary>
  ## </param>
  ## <param name="role">
-@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',`
  ## </param>
  ## <rolecap/>
  #
@@ -45949,6 +46036,26 @@ index 0e8508c..0b68b86 100644
 +    stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
 +')
 +
++#######################################
++## <summary>
++##      Read the process state (/proc/pid) of NetworkManager.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`NetworkManager_read_state',`
++        gen_require(`
++            type NetworkManager_t;
++    ')
++
++    allow $1 NetworkManager_t:dir search_dir_perms;
++    allow $1 NetworkManager_t:file read_file_perms;
++    allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
++')
++
 +########################################
 +## <summary>
 +##	Transition to networkmanager named content
@@ -48332,7 +48439,7 @@ index 97df768..852d1c6 100644
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
 diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..8903423 100644
+index a3e56f0..f70a784 100644
 --- a/nslcd.te
 +++ b/nslcd.te
 @@ -1,4 +1,4 @@
@@ -48358,8 +48465,12 @@ index a3e56f0..8903423 100644
  
  allow nslcd_t nslcd_conf_t:file read_file_perms;
  
-@@ -38,12 +38,8 @@ kernel_read_system_state(nslcd_t)
+@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+ 
+ kernel_read_system_state(nslcd_t)
  
++dev_read_sysfs(nslcd_t)
++
  corenet_all_recvfrom_unlabeled(nslcd_t)
  corenet_all_recvfrom_netlabel(nslcd_t)
 -corenet_tcp_sendrecv_generic_if(nslcd_t)
@@ -48372,7 +48483,7 @@ index a3e56f0..8903423 100644
  
  files_read_usr_symlinks(nslcd_t)
  files_list_tmp(nslcd_t)
-@@ -52,10 +48,14 @@ auth_use_nsswitch(nslcd_t)
+@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t)
  
  logging_send_syslog_msg(nslcd_t)
  
@@ -66101,26 +66212,45 @@ index 76f5b39..8bb80a2 100644
 +')
 +
 diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..e97da31 100644
+index 70ab68b..1de192b 100644
 --- a/quantum.fc
 +++ b/quantum.fc
-@@ -1,9 +1,14 @@
-+/usr/lib/systemd/system/quantum.*	--	gen_context(system_u:object_r:quantum_unit_file_t,s0)
-+
- /etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
- 
- /usr/bin/quantum-server	--	gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-openvswitch-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-linuxbridge-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
- /usr/bin/quantum-ryu-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-dhcp-agent     --  gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-l3-agent       --  gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-ovs-cleanup    --  gen_context(system_u:object_r:quantum_exec_t,s0)
- 
- /var/lib/quantum(/.*)?	gen_context(system_u:object_r:quantum_var_lib_t,s0)
- 
+@@ -1,10 +1,26 @@
+-/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/neutron.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+ 
+-/usr/bin/quantum-server	--	gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-openvswitch-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-linuxbridge-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
+-/usr/bin/quantum-ryu-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-l3-agent       --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-linuxbridge-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-openvswitch-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ovs-cleanup    --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-ryu-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-server	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-l3-agent       --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-linuxbridge-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-openvswitch-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ovs-cleanup    --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-ryu-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/quantum-server	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+ 
+-/var/lib/quantum(/.*)?	gen_context(system_u:object_r:quantum_var_lib_t,s0)
++/usr/lib/systemd/system/neutron.*	--	gen_context(system_u:object_r:neutron_unit_file_t,s0)
++/usr/lib/systemd/system/quantum.*	--	gen_context(system_u:object_r:neutron_unit_file_t,s0)
+ 
+-/var/log/quantum(/.*)?	gen_context(system_u:object_r:quantum_log_t,s0)
++/var/lib/neutron(/.*)?	gen_context(system_u:object_r:neutron_var_lib_t,s0)
++/var/lib/quantum(/.*)?	gen_context(system_u:object_r:neutron_var_lib_t,s0)
++
++/var/log/neutron(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
++/var/log/quantum(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
 diff --git a/quantum.if b/quantum.if
-index afc0068..7b3cfad 100644
+index afc0068..3105104 100644
 --- a/quantum.if
 +++ b/quantum.if
 @@ -2,41 +2,293 @@
@@ -66129,7 +66259,7 @@ index afc0068..7b3cfad 100644
  ## <summary>
 -##	All of the rules required to
 -##	administrate an quantum environment.
-+##	Transition to quantum.
++##	Transition to neutron.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -66137,77 +66267,78 @@ index afc0068..7b3cfad 100644
 +## </summary>
 +## </param>
 +#
-+interface(`quantum_domtrans',`
++interface(`neutron_domtrans',`
 +	gen_require(`
-+		type quantum_t, quantum_exec_t;
++		type neutron_t, neutron_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
-+	domtrans_pattern($1, quantum_exec_t, quantum_t)
++	domtrans_pattern($1, neutron_exec_t, neutron_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow read/write quantum pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
++##	Allow read/write neutron pipes
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
 +#
-+interface(`quantum_rw_inherited_pipes',`
++interface(`neutron_rw_inherited_pipes',`
 +	gen_require(`
-+		type quantum_t;
++		type neutron_t;
 +	')
 +
-+	allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++	allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Send sigchld to quantum.
- ## </summary>
- ## <param name="domain">
++##	Send sigchld to neutron.
++## </summary>
++## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="role">
+-##	Role allowed access.
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +#
-+interface(`quantum_sigchld',`
++interface(`neutron_sigchld',`
 +	gen_require(`
-+		type quantum_t;
++		type neutron_t;
 +	')
 +
-+    allow $1 quantum_t:process sigchld;
++    allow $1 neutron_t:process sigchld;
 +')
 +
 +########################################
 +## <summary>
-+##	Read quantum's log files.
++##	Read neutron's log files.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	Role allowed access.
++##	<summary>
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
  ## <rolecap/>
  #
-+interface(`quantum_read_log',`
+-interface(`quantum_admin',`
++interface(`neutron_read_log',`
 +	gen_require(`
-+		type quantum_log_t;
++		type neutron_log_t;
 +	')
 +
 +	logging_search_logs($1)
-+	read_files_pattern($1, quantum_log_t, quantum_log_t)
++	read_files_pattern($1, neutron_log_t, neutron_log_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Append to quantum log files.
++##	Append to neutron log files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66215,18 +66346,18 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_append_log',`
++interface(`neutron_append_log',`
 +	gen_require(`
-+		type quantum_log_t;
++		type neutron_log_t;
 +	')
 +
 +	logging_search_logs($1)
-+	append_files_pattern($1, quantum_log_t, quantum_log_t)
++	append_files_pattern($1, neutron_log_t, neutron_log_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Manage quantum log files
++##	Manage neutron log files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66234,20 +66365,20 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_manage_log',`
++interface(`neutron_manage_log',`
 +	gen_require(`
-+		type quantum_log_t;
++		type neutron_log_t;
 +	')
 +
 +	logging_search_logs($1)
-+	manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
-+	manage_files_pattern($1, quantum_log_t, quantum_log_t)
-+	manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
++	manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
++	manage_files_pattern($1, neutron_log_t, neutron_log_t)
++	manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Search quantum lib directories.
++##	Search neutron lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66255,18 +66386,18 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_search_lib',`
++interface(`neutron_search_lib',`
 +	gen_require(`
-+		type quantum_var_lib_t;
++		type neutron_var_lib_t;
 +	')
 +
-+	allow $1 quantum_var_lib_t:dir search_dir_perms;
++	allow $1 neutron_var_lib_t:dir search_dir_perms;
 +	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
-+##	Read quantum lib files.
++##	Read neutron lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66274,18 +66405,22 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_read_lib_files',`
-+	gen_require(`
-+		type quantum_var_lib_t;
-+	')
-+
++interface(`neutron_read_lib_files',`
+ 	gen_require(`
+-		type quantum_t, quantum_initrc_exec_t, quantum_log_t;
+-		type quantum_var_lib_t, quantum_tmp_t;
++		type neutron_var_lib_t;
+ 	')
+ 
+-	allow $1 quantum_t:process { ptrace signal_perms };
+-	ps_process_pattern($1, quantum_t)
 +	files_search_var_lib($1)
-+	read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++	read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Manage quantum lib files.
++##	Manage neutron lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66293,18 +66428,22 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_manage_lib_files',`
++interface(`neutron_manage_lib_files',`
 +	gen_require(`
-+		type quantum_var_lib_t;
++		type neutron_var_lib_t;
 +	')
-+
+ 
+-	init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+-	domain_system_change_exemption($1)
+-	role_transition $2 quantum_initrc_exec_t system_r;
+-	allow $2 system_r;
 +	files_search_var_lib($1)
-+	manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++	manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Manage quantum lib directories.
++##	Manage neutron lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66312,18 +66451,18 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_manage_lib_dirs',`
++interface(`neutron_manage_lib_dirs',`
 +	gen_require(`
-+		type quantum_var_lib_t;
++		type neutron_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
-+	manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++	manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write quantum fifo files.
++##	Read and write neutron fifo files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66331,17 +66470,17 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_rw_fifo_file',`
++interface(`neutron_rw_fifo_file',`
 +	gen_require(`
-+		type quantum_t;
++		type neutron_t;
 +	')
 +
-+	allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms;
++	allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +#####################################
 +## <summary>
-+##	Connect to quantum over a unix domain
++##	Connect to neutron over a unix domain
 +##	stream socket.
 +## </summary>
 +## <param name="domain">
@@ -66350,19 +66489,19 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_stream_connect',`
++interface(`neutron_stream_connect',`
 +	gen_require(`
-+        type quantum_t;
-+		type quantum_var_lib_t;
++        type neutron_t;
++		type neutron_var_lib_t;
 +	')
 +
 +	files_search_pids($1)
-+	stream_connect_pattern($1, quantum_var_lib_t, quantum_var_lib_t, quantum_t )
++	stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
 +')
 +
 +########################################
 +## <summary>
-+##	Execute quantum server in the quantum domain.
++##	Execute neutron server in the neutron domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66370,25 +66509,25 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`quantum_systemctl',`
++interface(`neutron_systemctl',`
 +	gen_require(`
-+		type quantum_t;
-+		type quantum_unit_file_t;
++		type neutron_t;
++		type neutron_unit_file_t;
 +	')
 +
 +	systemd_exec_systemctl($1)
 +	systemd_read_fifo_file_passwd_run($1)
-+	allow $1 quantum_unit_file_t:file read_file_perms;
-+	allow $1 quantum_unit_file_t:service manage_service_perms;
++	allow $1 neutron_unit_file_t:file read_file_perms;
++	allow $1 neutron_unit_file_t:service manage_service_perms;
 +
-+	ps_process_pattern($1, quantum_t)
++	ps_process_pattern($1, neutron_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
-+##	an quantum environment
++##	an neutron environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -66396,92 +66535,203 @@ index afc0068..7b3cfad 100644
 +##	</summary>
 +## </param>
 +#
- interface(`quantum_admin',`
- 	gen_require(`
--		type quantum_t, quantum_initrc_exec_t, quantum_log_t;
--		type quantum_var_lib_t, quantum_tmp_t;
-+		type quantum_t;
-+		type quantum_log_t;
-+		type quantum_var_lib_t;
-+		type quantum_unit_file_t;
- 	')
- 
- 	allow $1 quantum_t:process { ptrace signal_perms };
- 	ps_process_pattern($1, quantum_t)
++interface(`neutron_admin',`
++	gen_require(`
++		type neutron_t;
++		type neutron_log_t;
++		type neutron_var_lib_t;
++		type neutron_unit_file_t;
++	')
++
++	allow $1 neutron_t:process { ptrace signal_perms };
++	ps_process_pattern($1, neutron_t)
  
--	init_labeled_script_domtrans($1, quantum_initrc_exec_t)
--	domain_system_change_exemption($1)
--	role_transition $2 quantum_initrc_exec_t system_r;
--	allow $2 system_r;
--
  	logging_search_logs($1)
- 	admin_pattern($1, quantum_log_t)
+-	admin_pattern($1, quantum_log_t)
++	admin_pattern($1, neutron_log_t)
  
  	files_search_var_lib($1)
- 	admin_pattern($1, quantum_var_lib_t)
+-	admin_pattern($1, quantum_var_lib_t)
++	admin_pattern($1, neutron_var_lib_t)
  
 -	files_search_tmp($1)
 -	admin_pattern($1, quantum_tmp_t)
-+	quantum_systemctl($1)
-+	admin_pattern($1, quantum_unit_file_t)
-+	allow $1 quantum_unit_file_t:service all_service_perms;
++	neutron_systemctl($1)
++	admin_pattern($1, neutron_unit_file_t)
++	allow $1 neutron_unit_file_t:service all_service_perms;
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..bf3f16f 100644
+index 769d1fd..80a4b99 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
- type quantum_var_lib_t;
- files_type(quantum_var_lib_t)
+@@ -1,96 +1,108 @@
+-policy_module(quantum, 1.0.2)
++policy_module(quantum, 1.0.3)
+ 
+ ########################################
+ #
+ # Declarations
+ #
+ 
+-type quantum_t;
+-type quantum_exec_t;
+-init_daemon_domain(quantum_t, quantum_exec_t)
++type neutron_t alias quantum_t;
++type neutron_exec_t alias quantum_exec_t;
++init_daemon_domain(neutron_t, neutron_exec_t)
+ 
+-type quantum_initrc_exec_t;
+-init_script_file(quantum_initrc_exec_t)
++type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
++init_script_file(neutron_initrc_exec_t)
+ 
+-type quantum_log_t;
+-logging_log_file(quantum_log_t)
++type neutron_log_t alias quantum_log_t;
++logging_log_file(neutron_log_t)
+ 
+-type quantum_tmp_t;
+-files_tmp_file(quantum_tmp_t)
++type neutron_tmp_t alias quantum_tmp_t;
++files_tmp_file(neutron_tmp_t)
  
-+type quantum_unit_file_t;
-+systemd_unit_file(quantum_unit_file_t)
+-type quantum_var_lib_t;
+-files_type(quantum_var_lib_t)
++type neutron_var_lib_t alias quantum_var_lib_t;
++files_type(neutron_var_lib_t)
 +
++type neutron_unit_file_t alias quantum_unit_file_t;
++systemd_unit_file(neutron_unit_file_t)
+ 
  ########################################
  #
  # Local policy
-@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
- corenet_tcp_sendrecv_all_ports(quantum_t)
- corenet_tcp_bind_generic_node(quantum_t)
+ #
  
-+corenet_tcp_bind_quantum_port(quantum_t)
-+corenet_tcp_connect_keystone_port(quantum_t)
-+corenet_tcp_connect_mysqld_port(quantum_t)
-+
- dev_list_sysfs(quantum_t)
- dev_read_urand(quantum_t)
+-allow quantum_t self:capability { setgid setuid sys_resource };
+-allow quantum_t self:process { setsched setrlimit };
+-allow quantum_t self:fifo_file rw_fifo_file_perms;
+-allow quantum_t self:key manage_key_perms;
+-allow quantum_t self:tcp_socket { accept listen };
+-allow quantum_t self:unix_stream_socket { accept listen };
++allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:fifo_file rw_fifo_file_perms;
++allow neutron_t self:key manage_key_perms;
++allow neutron_t self:tcp_socket { accept listen };
++allow neutron_t self:unix_stream_socket { accept listen };
+ 
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
++manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
++append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
++logging_log_filetrans(neutron_t, neutron_log_t, dir)
+ 
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+ 
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+ 
+-can_exec(quantum_t, quantum_tmp_t)
++can_exec(neutron_t, neutron_tmp_t)
+ 
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
++kernel_read_kernel_sysctls(neutron_t)
++kernel_read_system_state(neutron_t)
+ 
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
++corecmd_exec_shell(neutron_t)
++corecmd_exec_bin(neutron_t)
+ 
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
++corenet_all_recvfrom_unlabeled(neutron_t)
++corenet_all_recvfrom_netlabel(neutron_t)
++corenet_tcp_sendrecv_generic_if(neutron_t)
++corenet_tcp_sendrecv_generic_node(neutron_t)
++corenet_tcp_sendrecv_all_ports(neutron_t)
++corenet_tcp_bind_generic_node(neutron_t)
+ 
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++corenet_tcp_bind_quantum_port(neutron_t)
++corenet_tcp_connect_keystone_port(neutron_t)
++corenet_tcp_connect_mysqld_port(neutron_t)
  
 -files_read_usr_files(quantum_t)
--
- auth_use_nsswitch(quantum_t)
++dev_list_sysfs(neutron_t)
++dev_read_urand(neutron_t)
+ 
+-auth_use_nsswitch(quantum_t)
++auth_use_nsswitch(neutron_t)
+ 
+-libs_exec_ldconfig(quantum_t)
++libs_exec_ldconfig(neutron_t)
  
- libs_exec_ldconfig(quantum_t)
-@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
- logging_send_audit_msgs(quantum_t)
- logging_send_syslog_msg(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
  
 -miscfiles_read_localization(quantum_t)
--
- sysnet_domtrans_ifconfig(quantum_t)
++sysnet_domtrans_ifconfig(neutron_t)
+ 
+-sysnet_domtrans_ifconfig(quantum_t)
++optional_policy(`
++	brctl_domtrans(neutron_t)
++')
+ 
+ optional_policy(`
+-	brctl_domtrans(quantum_t)
++	mysql_stream_connect(neutron_t)
++	mysql_read_config(neutron_t)
++
++	mysql_tcp_connect(neutron_t)
+ ')
  
  optional_policy(`
-@@ -94,3 +97,12 @@ optional_policy(`
+-	mysql_stream_connect(quantum_t)
+-	mysql_read_config(quantum_t)
++	postgresql_stream_connect(neutron_t)
++	postgresql_unpriv_client(neutron_t)
  
- 	postgresql_tcp_connect(quantum_t)
+-	mysql_tcp_connect(quantum_t)
++	postgresql_tcp_connect(neutron_t)
  ')
-+
-+optional_policy(`
-+    openvswitch_domtrans(quantum_t)
-+    openvswitch_stream_connect(quantum_t)
+ 
+ optional_policy(`
+-	postgresql_stream_connect(quantum_t)
+-	postgresql_unpriv_client(quantum_t)
++    openvswitch_domtrans(neutron_t)
++    openvswitch_stream_connect(neutron_t)
 +')
-+
+ 
+-	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
-+	sudo_exec(quantum_t)
-+')
++	sudo_exec(neutron_t)
+ ')
 diff --git a/quota.fc b/quota.fc
 index cadabe3..0ee2489 100644
 --- a/quota.fc
@@ -66928,7 +67178,7 @@ index 2c3d338..cf3e5ad 100644
  
  ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..8c4ba04 100644
+index 3698b51..136b017 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
 @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -66950,7 +67200,7 @@ index 3698b51..8c4ba04 100644
  allow rabbitmq_beam_t self:process { setsched signal signull };
  allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  
  manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -66971,7 +67221,10 @@ index 3698b51..8c4ba04 100644
  can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
  
  domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t)
+ 
+ kernel_read_system_state(rabbitmq_beam_t)
++kernel_read_fs_sysctls(rabbitmq_beam_t)
+ 
  corecmd_exec_bin(rabbitmq_beam_t)
  corecmd_exec_shell(rabbitmq_beam_t)
  
@@ -66986,11 +67239,13 @@ index 3698b51..8c4ba04 100644
  
  corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
  corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
  corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
  
 -dev_read_sysfs(rabbitmq_beam_t)
++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
++
 +corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
 +corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
 +
@@ -67006,20 +67261,24 @@ index 3698b51..8c4ba04 100644
 +fs_getattr_all_fs(rabbitmq_beam_t)
 +fs_getattr_all_dirs(rabbitmq_beam_t)
 +fs_getattr_cgroup(rabbitmq_beam_t)
++fs_search_cgroup_dirs(rabbitmq_beam_t)
 +
 +corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
 +
 +dev_read_sysfs(rabbitmq_beam_t)
 +dev_read_urand(rabbitmq_beam_t)
++
++storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
  
  sysnet_dns_name_resolve(rabbitmq_beam_t)
  
 +logging_send_syslog_msg(rabbitmq_beam_t)
 +
 +optional_policy(`
++    couchdb_manage_lib_files(rabbitmq_beam_t)
 +    couchdb_read_conf_files(rabbitmq_beam_t)
 +    couchdb_read_log_files(rabbitmq_beam_t)
-+    couchdb_manage_lib_files(rabbitmq_beam_t)
++    couchdb_search_pid_dirs(rabbitmq_beam_t)
 +')
 +
 +optional_policy(`
@@ -67035,7 +67294,7 @@ index 3698b51..8c4ba04 100644
  allow rabbitmq_epmd_t self:process signal;
  allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
  corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
  
@@ -67424,7 +67683,7 @@ index 951db7f..7736755 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..8e46216 100644
+index 2c1730b..6f60d73 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -67476,7 +67735,7 @@ index 2c1730b..8e46216 100644
  
  corecmd_exec_bin(mdadm_t)
  corecmd_exec_shell(mdadm_t)
-@@ -49,19 +63,27 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +63,28 @@ corecmd_exec_shell(mdadm_t)
  dev_rw_sysfs(mdadm_t)
  dev_dontaudit_getattr_all_blk_files(mdadm_t)
  dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -67485,6 +67744,7 @@ index 2c1730b..8e46216 100644
  dev_read_realtime_clock(mdadm_t)
  dev_read_raw_memory(mdadm_t)
 +dev_read_kvm(mdadm_t)
++dev_read_mei(mdadm_t)
 +dev_read_nvram(mdadm_t)
 +dev_read_generic_files(mdadm_t)
 +dev_read_generic_usb_dev(mdadm_t)
@@ -67506,7 +67766,7 @@ index 2c1730b..8e46216 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +92,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +93,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -67528,7 +67788,7 @@ index 2c1730b..8e46216 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +124,17 @@ optional_policy(`
+@@ -97,9 +125,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -76267,7 +76527,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..aa2be40 100644
+index 57c034b..d48911d 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -76453,7 +76713,7 @@ index 57c034b..aa2be40 100644
  
  type swat_t;
  type swat_exec_t;
-@@ -170,27 +154,28 @@ type winbind_exec_t;
+@@ -170,27 +154,29 @@ type winbind_exec_t;
  init_daemon_domain(winbind_t, winbind_exec_t)
  
  type winbind_helper_t;
@@ -76481,6 +76741,7 @@ index 57c034b..aa2be40 100644
  #
 -
  allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
++allow samba_net_t self:capability2 block_suspend;
  allow samba_net_t self:process { getsched setsched };
 -allow samba_net_t self:unix_stream_socket { accept listen };
 +allow samba_net_t self:unix_dgram_socket create_socket_perms;
@@ -76490,7 +76751,7 @@ index 57c034b..aa2be40 100644
  
  allow samba_net_t samba_etc_t:file read_file_perms;
  
-@@ -206,17 +191,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
  
@@ -76517,7 +76778,7 @@ index 57c034b..aa2be40 100644
  
  dev_read_urand(samba_net_t)
  
-@@ -229,15 +219,16 @@ auth_manage_cache(samba_net_t)
+@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t)
  
  logging_send_syslog_msg(samba_net_t)
  
@@ -76538,7 +76799,7 @@ index 57c034b..aa2be40 100644
  ')
  
  optional_policy(`
-@@ -245,44 +236,56 @@ optional_policy(`
+@@ -245,44 +237,56 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -76607,7 +76868,7 @@ index 57c034b..aa2be40 100644
  manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
  allow smbd_t samba_share_t:filesystem { getattr quotaget };
  
-@@ -292,6 +295,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
  
@@ -76616,7 +76877,7 @@ index 57c034b..aa2be40 100644
  manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
  manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
  files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -301,11 +306,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
  
@@ -76632,7 +76893,7 @@ index 57c034b..aa2be40 100644
  
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
-@@ -315,43 +320,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t)
  kernel_read_software_raid_state(smbd_t)
  kernel_read_system_state(smbd_t)
  
@@ -76687,7 +76948,7 @@ index 57c034b..aa2be40 100644
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
  fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +355,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -76753,7 +77014,7 @@ index 57c034b..aa2be40 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -413,20 +418,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -76776,7 +77037,7 @@ index 57c034b..aa2be40 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -435,6 +430,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -76784,7 +77045,7 @@ index 57c034b..aa2be40 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +438,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -76802,7 +77063,7 @@ index 57c034b..aa2be40 100644
  optional_policy(`
  	ccs_read_config(smbd_t)
  ')
-@@ -473,6 +458,11 @@ optional_policy(`
+@@ -473,6 +459,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -76814,7 +77075,7 @@ index 57c034b..aa2be40 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -493,9 +483,33 @@ optional_policy(`
+@@ -493,9 +484,33 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -76849,7 +77110,7 @@ index 57c034b..aa2be40 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +520,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +521,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -76864,7 +77125,7 @@ index 57c034b..aa2be40 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +536,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +537,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -76888,7 +77149,7 @@ index 57c034b..aa2be40 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +553,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +554,40 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -76953,7 +77214,7 @@ index 57c034b..aa2be40 100644
  ')
  
  optional_policy(`
-@@ -600,17 +599,24 @@ optional_policy(`
+@@ -600,17 +600,24 @@ optional_policy(`
  
  ########################################
  #
@@ -76982,7 +77243,7 @@ index 57c034b..aa2be40 100644
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -620,16 +626,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +627,12 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -77000,7 +77261,7 @@ index 57c034b..aa2be40 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +639,23 @@ optional_policy(`
+@@ -637,22 +640,23 @@ optional_policy(`
  
  ########################################
  #
@@ -77032,7 +77293,7 @@ index 57c034b..aa2be40 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -661,26 +664,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +665,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -77068,7 +77329,7 @@ index 57c034b..aa2be40 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -692,58 +691,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +692,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -77160,7 +77421,7 @@ index 57c034b..aa2be40 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +770,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +771,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -77184,7 +77445,7 @@ index 57c034b..aa2be40 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -770,36 +784,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +785,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -77227,7 +77488,7 @@ index 57c034b..aa2be40 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -811,10 +814,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +815,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -77241,7 +77502,7 @@ index 57c034b..aa2be40 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -834,16 +838,19 @@ optional_policy(`
+@@ -834,16 +839,19 @@ optional_policy(`
  #
  
  allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -77265,7 +77526,7 @@ index 57c034b..aa2be40 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +861,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -77276,7 +77537,7 @@ index 57c034b..aa2be40 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +872,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -77306,7 +77567,7 @@ index 57c034b..aa2be40 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +895,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -77327,7 +77588,7 @@ index 57c034b..aa2be40 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +913,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -77338,7 +77599,7 @@ index 57c034b..aa2be40 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,18 +921,24 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -77365,7 +77626,7 @@ index 57c034b..aa2be40 100644
  
  optional_policy(`
  	ctdbd_stream_connect(winbind_t)
-@@ -936,7 +945,12 @@ optional_policy(`
+@@ -936,7 +946,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -77378,7 +77639,7 @@ index 57c034b..aa2be40 100644
  ')
  
  optional_policy(`
-@@ -952,31 +966,29 @@ optional_policy(`
+@@ -952,31 +967,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -77416,7 +77677,7 @@ index 57c034b..aa2be40 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -990,25 +1002,38 @@ optional_policy(`
+@@ -990,25 +1003,38 @@ optional_policy(`
  
  ########################################
  #
@@ -85794,10 +86055,10 @@ index ac8213a..20fa71f 100644
 -
 -miscfiles_read_localization(tcsd_t)
 diff --git a/telepathy.fc b/telepathy.fc
-index c7de0cf..9813503 100644
+index c7de0cf..03fc880 100644
 --- a/telepathy.fc
 +++ b/telepathy.fc
-@@ -1,34 +1,22 @@
+@@ -1,34 +1,23 @@
 -HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
 +HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
  HOME_DIR/\.cache/telepathy(/.*)?	gen_context(system_u:object_r:telepathy_cache_home_t, s0)
@@ -85805,6 +86066,7 @@ index c7de0cf..9813503 100644
 -HOME_DIR/\.cache/telepathy/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
 -HOME_DIR/\.cache/wocky(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
 -HOME_DIR/\.mission-control(/.*)?	gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
++HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)?		gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
 +HOME_DIR/\.cache/telepathy/gabble(/.*)?		gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
 +HOME_DIR/\.cache/wocky(/.*)?			gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
 +HOME_DIR/\.mission-control(/.*)?		gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
@@ -86266,7 +86528,7 @@ index 42946bc..741f2f4 100644
 +	can_exec($1, telepathy_executable)
  ')
 diff --git a/telepathy.te b/telepathy.te
-index e9c0964..ff77783 100644
+index e9c0964..d4686e6 100644
 --- a/telepathy.te
 +++ b/telepathy.te
 @@ -1,29 +1,28 @@
@@ -86309,7 +86571,7 @@ index e9c0964..ff77783 100644
  
  telepathy_domain_template(gabble)
  
-@@ -67,176 +66,144 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t)
  
  #######################################
  #
@@ -86500,6 +86762,9 @@ index e9c0964..ff77783 100644
  manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
 -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
 +userdom_search_user_home_dirs(telepathy_mission_control_t)
++
++manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
  
 -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
 +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
@@ -86534,7 +86799,7 @@ index e9c0964..ff77783 100644
  
  optional_policy(`
  	dbus_system_bus_client(telepathy_mission_control_t)
-@@ -245,59 +212,51 @@ optional_policy(`
+@@ -245,59 +215,51 @@ optional_policy(`
  		devicekit_dbus_chat_power(telepathy_mission_control_t)
  	')
  	optional_policy(`
@@ -86609,7 +86874,7 @@ index e9c0964..ff77783 100644
  
  init_read_state(telepathy_msn_t)
  
-@@ -307,18 +266,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t)
  
  miscfiles_read_all_certs(telepathy_msn_t)
  
@@ -86634,7 +86899,7 @@ index e9c0964..ff77783 100644
  ')
  
  optional_policy(`
-@@ -329,43 +289,33 @@ optional_policy(`
+@@ -329,43 +292,33 @@ optional_policy(`
  	')
  ')
  
@@ -86683,7 +86948,7 @@ index e9c0964..ff77783 100644
  ')
  
  optional_policy(`
-@@ -378,73 +328,53 @@ optional_policy(`
+@@ -378,73 +331,53 @@ optional_policy(`
  
  #######################################
  #
@@ -86767,7 +87032,7 @@ index e9c0964..ff77783 100644
  optional_policy(`
  	xserver_read_xdm_pid(telepathy_sunshine_t)
  	xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,43 @@ optional_policy(`
+@@ -452,31 +385,43 @@ optional_policy(`
  
  #######################################
  #
@@ -92250,7 +92515,7 @@ index 9dec06c..4e31afe 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..d48d354 100644
+index 1f22fba..76ccef3 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,104 @@
@@ -92880,7 +93145,7 @@ index 1f22fba..d48d354 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -92890,6 +93155,7 @@ index 1f22fba..d48d354 100644
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
++allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
@@ -92901,7 +93167,7 @@ index 1f22fba..d48d354 100644
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +356,7 @@ kernel_read_kernel_sysctls(virtd_t)
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  kernel_setsched(virtd_t)
@@ -92909,7 +93175,7 @@ index 1f22fba..d48d354 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +364,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -92937,13 +93203,14 @@ index 1f22fba..d48d354 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +384,24 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
 +# Init script handling
  domain_use_interactive_fds(virtd_t)
  domain_read_all_domains_state(virtd_t)
++domain_signull_all_domains(virtd_t)
  
 -files_read_usr_files(virtd_t)
  files_read_etc_runtime_files(virtd_t)
@@ -92966,7 +93233,7 @@ index 1f22fba..d48d354 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +432,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -92986,7 +93253,7 @@ index 1f22fba..d48d354 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +454,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -93023,7 +93290,7 @@ index 1f22fba..d48d354 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +482,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -93032,7 +93299,7 @@ index 1f22fba..d48d354 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -658,20 +505,12 @@ optional_policy(`
+@@ -658,20 +507,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -93053,7 +93320,7 @@ index 1f22fba..d48d354 100644
  ')
  
  optional_policy(`
-@@ -684,14 +523,20 @@ optional_policy(`
+@@ -684,14 +525,20 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -93076,7 +93343,7 @@ index 1f22fba..d48d354 100644
  	iptables_manage_config(virtd_t)
  ')
  
-@@ -704,11 +549,13 @@ optional_policy(`
+@@ -704,11 +551,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -93090,7 +93357,7 @@ index 1f22fba..d48d354 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -719,10 +566,18 @@ optional_policy(`
+@@ -719,10 +568,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -93109,7 +93376,7 @@ index 1f22fba..d48d354 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -737,44 +592,262 @@ optional_policy(`
+@@ -737,44 +594,262 @@ optional_policy(`
  	udev_read_db(virtd_t)
  ')
  
@@ -93394,7 +93661,7 @@ index 1f22fba..d48d354 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +860,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -93421,7 +93688,7 @@ index 1f22fba..d48d354 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +880,22 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -93453,7 +93720,7 @@ index 1f22fba..d48d354 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,14 +911,20 @@ optional_policy(`
+@@ -847,14 +913,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -93475,7 +93742,7 @@ index 1f22fba..d48d354 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,49 +949,65 @@ optional_policy(`
+@@ -879,49 +951,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -93559,7 +93826,7 @@ index 1f22fba..d48d354 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1021,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -93579,7 +93846,7 @@ index 1f22fba..d48d354 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1042,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -93603,7 +93870,7 @@ index 1f22fba..d48d354 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1067,247 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -93981,7 +94248,7 @@ index 1f22fba..d48d354 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1320,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -93996,7 +94263,7 @@ index 1f22fba..d48d354 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1336,8 @@ optional_policy(`
+@@ -1183,9 +1338,8 @@ optional_policy(`
  
  ########################################
  #
@@ -94007,7 +94274,7 @@ index 1f22fba..d48d354 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1352,120 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -97710,7 +97977,7 @@ index b0803c2..f1fa5f7 100644
 +')
 diff --git a/zoneminder.fc b/zoneminder.fc
 new file mode 100644
-index 0000000..a468da3
+index 0000000..d8a6df1
 --- /dev/null
 +++ b/zoneminder.fc
 @@ -0,0 +1,26 @@
@@ -97718,7 +97985,7 @@ index 0000000..a468da3
 +
 +/etc/rc\.d/init\.d/zoneminder	--	gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
 +
-+/usr/bin/motion         --      gen_context(system_u:object_r:zoneminder_exec_t,s0)
++#/usr/bin/motion         --      gen_context(system_u:object_r:zoneminder_exec_t,s0)
 +
 +/usr/bin/zmpkg.pl		--	gen_context(system_u:object_r:zoneminder_exec_t,s0)
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 317ab46..1a40678 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 77.1%{?dist}
+Release: 78%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -570,6 +570,33 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Sep 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-78
+- Allow block_suspend cap for samba-net
+- Allow t-mission-control to manage gabble cache files
+- Allow nslcd to read /sys/devices/system/cpu
+- Allow selinux_store to use symlinks
+- Allow xdm_t to transition to itself
+- Call neutron interfaces instead of quantum
+- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t
+- Make sure directories in /run get created with the correct label
+- Make sure /root/.pki gets created with the right label
+- try to remove labeling for motion from zoneminder_exec_t to bin_t
+- Allow inetd_t to execute shell scripts
+- Allow cloud-init to read all domainstate
+- Fix to use quantum port
+- Add interface netowrkmanager_initrc_domtrans
+- Fix boinc_execmem
+- Allow t-mission-control to read gabble cache home
+- Add labeling for ~/.cache/telepathy/avatars/gabble
+- Allow memcache to read sysfs data
+- Cleanup antivirus policy and add additional fixes
+- Add boolean boinc_enable_execstack
+- Add support for couchdb in rabbitmq policy
+- Add interface couchdb_search_pid_dirs
+- Allow firewalld to read NM state
+- Allow systemd running as git_systemd to bind git port
+- Fix mozilla_plugin_rw_tmpfs_files()
+
 * Mon Sep 9 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-77.1
 - Fix nameing of rpm macro
 - Fix creating of checksum file off installed policy