diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 77e2037..77cec62 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -22720,7 +22720,7 @@ index 8274418..0069d82 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..0d55916 100644
+index 6bf0ecc..bf98136 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -18,100 +18,37 @@
@@ -23704,7 +23704,7 @@ index 6bf0ecc..0d55916 100644
  ')
  
  ########################################
-@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,664 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -23850,6 +23850,27 @@ index 6bf0ecc..0d55916 100644
 +
 +########################################
 +## <summary>
++##	Send and receive messages from
++##	xdm over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_dbus_chat',`
++	gen_require(`
++		type xserver_t;
++		class dbus send_msg;
++	')
++
++	allow $1 xserver_t:dbus send_msg;
++	allow xserver_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
 +##	Read xserver files created in /var/run
 +## </summary>
 +## <param name="domain">
@@ -24351,7 +24372,7 @@ index 6bf0ecc..0d55916 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..a02343f 100644
+index 8b40377..c52fbe6 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -24986,7 +25007,7 @@ index 8b40377..a02343f 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +689,148 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +689,149 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -24999,6 +25020,7 @@ index 8b40377..a02343f 100644
 +#userdom_home_manager(xdm_t)
 +tunable_policy(`xdm_write_home',`
 +    userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
++    userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
 +',`
 +    userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
 +')
@@ -25141,7 +25163,7 @@ index 8b40377..a02343f 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -503,11 +844,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +845,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -25168,7 +25190,7 @@ index 8b40377..a02343f 100644
  ')
  
  optional_policy(`
-@@ -517,9 +873,34 @@ optional_policy(`
+@@ -517,9 +874,34 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(xdm_t)
  	dbus_connect_system_bus(xdm_t)
@@ -25204,7 +25226,7 @@ index 8b40377..a02343f 100644
  	')
  ')
  
-@@ -530,6 +911,20 @@ optional_policy(`
+@@ -530,6 +912,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25225,7 +25247,7 @@ index 8b40377..a02343f 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -547,28 +942,78 @@ optional_policy(`
+@@ -547,28 +943,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25313,7 +25335,7 @@ index 8b40377..a02343f 100644
  ')
  
  optional_policy(`
-@@ -580,6 +1025,14 @@ optional_policy(`
+@@ -580,6 +1026,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25328,7 +25350,7 @@ index 8b40377..a02343f 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1048,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -25337,7 +25359,7 @@ index 8b40377..a02343f 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -25350,7 +25372,7 @@ index 8b40377..a02343f 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -25366,7 +25388,7 @@ index 8b40377..a02343f 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -25377,7 +25399,7 @@ index 8b40377..a02343f 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1105,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1106,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -25414,7 +25436,7 @@ index 8b40377..a02343f 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -25446,7 +25468,7 @@ index 8b40377..a02343f 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -705,6 +1184,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1185,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
  
@@ -25461,7 +25483,7 @@ index 8b40377..a02343f 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,20 +1205,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1206,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -25485,7 +25507,7 @@ index 8b40377..a02343f 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1224,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -25494,7 +25516,7 @@ index 8b40377..a02343f 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1268,44 @@ optional_policy(`
+@@ -785,17 +1269,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25541,7 +25563,7 @@ index 8b40377..a02343f 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1313,10 @@ optional_policy(`
+@@ -803,6 +1314,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25552,7 +25574,7 @@ index 8b40377..a02343f 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,10 +1332,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1333,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -25566,7 +25588,7 @@ index 8b40377..a02343f 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1343,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1344,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -25575,7 +25597,7 @@ index 8b40377..a02343f 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1356,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1357,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -25610,7 +25632,7 @@ index 8b40377..a02343f 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1421,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1422,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25619,7 +25641,7 @@ index 8b40377..a02343f 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1475,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1476,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -25651,7 +25673,7 @@ index 8b40377..a02343f 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1521,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1522,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -37265,7 +37287,7 @@ index 40edc18..7cc0c8a 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..f1e2130 100644
+index 2cea692..9f54e7c 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -37552,7 +37574,7 @@ index 2cea692..f1e2130 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +949,76 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +949,94 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -37629,6 +37651,24 @@ index 2cea692..f1e2130 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
++
++########################################
++## <summary>
++##	Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_filetrans_named_content_ifconfig',`
++	gen_require(`
++		type ifconfig_var_run_t;
++	')
++
++	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
++')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
 index a392fc4..b0a854f 100644
 --- a/policy/modules/system/sysnetwork.te
@@ -39513,10 +39553,10 @@ index 0000000..8bca1d7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..e0c3372
+index 0000000..c9ea962
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,638 @@
+@@ -0,0 +1,640 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -39599,7 +39639,7 @@ index 0000000..e0c3372
 +#
 +
 +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config sys_admin };
 +allow systemd_logind_t self:capability2 block_suspend;
 +allow systemd_logind_t self:process getcap;
 +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -39693,6 +39733,8 @@ index 0000000..e0c3372
 +userdom_use_user_ttys(systemd_logind_t)
 +userdom_manage_all_user_tmp_content(systemd_logind_t)
 +
++xserver_dbus_chat(systemd_logind_t)
++
 +optional_policy(`
 +	apache_read_tmp_files(systemd_logind_t)
 +')
@@ -39763,7 +39805,7 @@ index 0000000..e0c3372
 +logging_send_syslog_msg(systemd_passwd_agent_t)
 +
 +userdom_use_user_ptys(systemd_passwd_agent_t)
-+userdom_use_inherited_user_ttys(systemd_passwd_agent_t)
++userdom_use_user_ttys(systemd_passwd_agent_t)
 +
 +optional_policy(`
 +	lvm_signull(systemd_passwd_agent_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index de2bffe..e13a95b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -16529,7 +16529,7 @@ index 1303b30..72481a7 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 7de3859..4e6ebcd 100644
+index 7de3859..23baf47 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -11,46 +11,46 @@ gen_require(`
@@ -16557,7 +16557,8 @@ index 7de3859..4e6ebcd 100644
 +##  the generic cronjob domain.
 +##  </p>
  ## </desc>
- gen_tunable(cron_userdomain_transition, false)
+-gen_tunable(cron_userdomain_transition, false)
++gen_tunable(cron_userdomain_transition, true)
  
  ## <desc>
  ##	<p>
@@ -17781,7 +17782,7 @@ index b25b01d..e99c5c6 100644
  ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 001b502..83fb1f9 100644
+index 001b502..3ceae52 100644
 --- a/ctdb.te
 +++ b/ctdb.te
 @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -17828,7 +17829,7 @@ index 001b502..83fb1f9 100644
  files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
  
  kernel_read_network_state(ctdbd_t)
-@@ -72,9 +84,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
  corenet_tcp_sendrecv_generic_if(ctdbd_t)
  corenet_tcp_sendrecv_generic_node(ctdbd_t)
  corenet_tcp_bind_generic_node(ctdbd_t)
@@ -17837,10 +17838,11 @@ index 001b502..83fb1f9 100644
  corenet_sendrecv_ctdb_server_packets(ctdbd_t)
  corenet_tcp_bind_ctdb_port(ctdbd_t)
 +corenet_udp_bind_ctdb_port(ctdbd_t)
++corenet_tcp_connect_ctdb_port(ctdbd_t)
  corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
  
  corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +99,14 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t)
  
  domain_dontaudit_read_all_domains_state(ctdbd_t)
  
@@ -17857,7 +17859,7 @@ index 001b502..83fb1f9 100644
  miscfiles_read_public_files(ctdbd_t)
  
  optional_policy(`
-@@ -109,6 +125,7 @@ optional_policy(`
+@@ -109,6 +126,7 @@ optional_policy(`
  	samba_initrc_domtrans(ctdbd_t)
  	samba_domtrans_net(ctdbd_t)
  	samba_rw_var_files(ctdbd_t)
@@ -56198,10 +56200,10 @@ index 0000000..cf03270
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..a66bb69
+index 0000000..db64c6a
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,574 @@
+@@ -0,0 +1,576 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@@ -56718,6 +56720,8 @@ index 0000000..a66bb69
 +kernel_read_network_state(openshift_cron_t)
 +kernel_read_system_state(openshift_cron_t)
 +
++files_dontaudit_search_all_mountpoints(openshift_cron_t)
++
 +corecmd_exec_bin(openshift_cron_t)
 +corecmd_exec_shell(openshift_cron_t)
 +
@@ -59086,10 +59090,10 @@ index 0000000..d9296b1
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..3bd4aa3
+index 0000000..fc9dd48
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,215 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -59143,11 +59147,12 @@ index 0000000..3bd4aa3
 +manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
 +manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
 +manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-+files_pid_filetrans(pcp_domain, pcp_var_run_t, { file sock_file })
++files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
 +
 +manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
 +manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
-+files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file })
++manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
 +
 +manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
 +manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
@@ -59172,10 +59177,11 @@ index 0000000..3bd4aa3
 +
 +allow pcp_pmcd_t self:process { setsched };
 +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
-+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
++allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
 +
 +auth_use_nsswitch(pcp_pmcd_t)
 +
++kernel_get_sysvipc_info(pcp_pmcd_t)
 +kernel_read_network_state(pcp_pmcd_t)
 +kernel_read_system_state(pcp_pmcd_t)
 +kernel_read_state(pcp_pmcd_t)
@@ -59184,9 +59190,13 @@ index 0000000..3bd4aa3
 +
 +corecmd_exec_bin(pcp_pmcd_t)
 +
++corenet_tcp_bind_amqp_port(pcp_pmcd_t)
++corenet_tcp_connect_amqp_port(pcp_pmcd_t)
++
 +dev_read_sysfs(pcp_pmcd_t)
 +
 +domain_read_all_domains_state(pcp_pmcd_t)
++domain_getattr_all_domains(pcp_pmcd_t)
 +
 +dev_getattr_all_blk_files(pcp_pmcd_t)
 +dev_getattr_all_chr_files(pcp_pmcd_t)
@@ -59198,10 +59208,14 @@ index 0000000..3bd4aa3
 +fs_list_cgroup_dirs(pcp_pmcd_t)
 +fs_read_cgroup_files(pcp_pmcd_t)
 +
++init_read_utmp(pcp_pmcd_t)
++
 +logging_send_syslog_msg(pcp_pmcd_t)
 +
 +storage_getattr_fixed_disk_dev(pcp_pmcd_t)
 +
++userdom_read_user_tmp_files(pcp_pmcd_t)
++
 +optional_policy(`
 +    dbus_system_bus_client(pcp_pmcd_t)
 +
@@ -59269,10 +59283,16 @@ index 0000000..3bd4aa3
 +
 +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
 +
++kernel_read_system_state(pcp_pmie_t)
++
++corecmd_exec_bin(pcp_pmie_t)
++
 +corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
 +
 +logging_send_syslog_msg(pcp_pmie_t)
 +
++userdom_read_user_tmp_files(pcp_pmie_t)
++
 +########################################
 +#
 +# pcp_pmlogger local  policy
@@ -59284,8 +59304,11 @@ index 0000000..3bd4aa3
 +allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
 +
 +corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
++corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
 +corenet_tcp_bind_generic_node(pcp_pmlogger_t)
 +
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmlogger_t)
++
 diff --git a/pcscd.if b/pcscd.if
 index 43d50f9..6b1544f 100644
 --- a/pcscd.if
@@ -71877,10 +71900,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..9a3a093 100644
+index 8644d8b..c93b852 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -5,92 +5,119 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,121 @@ policy_module(quantum, 1.1.0)
  # Declarations
  #
  
@@ -71931,6 +71954,7 @@ index 8644d8b..9a3a093 100644
 +allow neutron_t self:key manage_key_perms;
 +allow neutron_t self:tcp_socket { accept listen };
 +allow neutron_t self:unix_stream_socket { accept listen };
++allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
 +
 +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -72010,6 +72034,7 @@ index 8644d8b..9a3a093 100644
 -logging_send_audit_msgs(quantum_t)
 -logging_send_syslog_msg(quantum_t)
 +sysnet_exec_ifconfig(neutron_t)
++sysnet_filetrans_named_content_ifconfig(neutron_t)
  
 -miscfiles_read_localization(quantum_t)
 +optional_policy(`
@@ -77700,7 +77725,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..a87ab50 100644
+index d32e1a2..c4cf8a7 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -77721,8 +77746,11 @@ index d32e1a2..a87ab50 100644
  
  manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
  files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,23 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -50,25 +49,48 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+ 
  kernel_read_network_state(rhsmcertd_t)
++kernel_read_sysctl(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
 +corenet_tcp_connect_http_port(rhsmcertd_t)
@@ -82618,7 +82646,7 @@ index 50d07fb..bada62f 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..e411600 100644
+index 2b7c441..706b3a4 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -83197,7 +83225,7 @@ index 2b7c441..e411600 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,9 +503,33 @@ optional_policy(`
+@@ -499,9 +503,36 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -83220,9 +83248,12 @@ index 2b7c441..e411600 100644
 +	allow nmbd_t self:capability { dac_read_search dac_override };
 +	fs_manage_noxattr_fs_files(smbd_t) 
 +	files_manage_non_security_files(smbd_t)
++    files_manage_non_security_dirs(smbd_t)
 +	fs_manage_noxattr_fs_files(nmbd_t) 
 +	files_manage_non_security_files(nmbd_t)
++    files_manage_non_security_dirs(nmbd_t)
 +')
++
 +userdom_filetrans_home_content(nmbd_t)
 +
  ########################################
@@ -83232,7 +83263,7 @@ index 2b7c441..e411600 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +540,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +543,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -83247,7 +83278,7 @@ index 2b7c441..e411600 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +556,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +559,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -83271,7 +83302,7 @@ index 2b7c441..e411600 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -548,52 +573,42 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +576,42 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -83338,7 +83369,7 @@ index 2b7c441..e411600 100644
  ')
  
  optional_policy(`
-@@ -606,16 +621,22 @@ optional_policy(`
+@@ -606,16 +624,22 @@ optional_policy(`
  
  ########################################
  #
@@ -83365,7 +83396,7 @@ index 2b7c441..e411600 100644
  
  manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
  
-@@ -627,16 +648,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +651,11 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -83383,7 +83414,7 @@ index 2b7c441..e411600 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +660,23 @@ optional_policy(`
+@@ -644,22 +663,23 @@ optional_policy(`
  
  ########################################
  #
@@ -83415,7 +83446,7 @@ index 2b7c441..e411600 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +688,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -83451,7 +83482,7 @@ index 2b7c441..e411600 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +715,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -83543,7 +83574,7 @@ index 2b7c441..e411600 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +794,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -83567,7 +83598,7 @@ index 2b7c441..e411600 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +808,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -83610,7 +83641,7 @@ index 2b7c441..e411600 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +838,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -83624,7 +83655,7 @@ index 2b7c441..e411600 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +858,20 @@ optional_policy(`
+@@ -840,17 +861,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -83650,7 +83681,7 @@ index 2b7c441..e411600 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +884,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -83661,7 +83692,7 @@ index 2b7c441..e411600 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +895,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -83691,7 +83722,7 @@ index 2b7c441..e411600 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +918,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -83712,7 +83743,7 @@ index 2b7c441..e411600 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +936,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -83723,7 +83754,7 @@ index 2b7c441..e411600 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +941,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +944,39 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -83765,7 +83796,7 @@ index 2b7c441..e411600 100644
  ')
  
  optional_policy(`
-@@ -959,31 +989,29 @@ optional_policy(`
+@@ -959,31 +992,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -83803,7 +83834,7 @@ index 2b7c441..e411600 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1025,38 @@ optional_policy(`
+@@ -997,25 +1028,38 @@ optional_policy(`
  
  ########################################
  #
@@ -92278,10 +92309,10 @@ index 0000000..df82c36
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..c7b2bf6
+index 0000000..7bef550
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,80 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@@ -92293,6 +92324,9 @@ index 0000000..c7b2bf6
 +type swift_exec_t;
 +init_daemon_domain(swift_t, swift_exec_t)
 +
++type swift_tmp_t;
++files_tmpfs_file(swift_tmp_t)
++
 +type swift_var_cache_t;
 +files_type(swift_var_cache_t)
 +
@@ -92317,6 +92351,10 @@ index 0000000..c7b2bf6
 +allow swift_t self:unix_stream_socket create_stream_socket_perms;
 +allow swift_t self:unix_dgram_socket create_socket_perms;
 +
++manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
++manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
++files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
++
 +manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 +manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 +manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
@@ -92351,6 +92389,10 @@ index 0000000..c7b2bf6
 +logging_send_syslog_msg(swift_t)
 +
 +userdom_dontaudit_search_user_home_dirs(swift_t)
++
++optional_policy(`
++    rpm_exec(swift_t)
++')
 diff --git a/swift_alias.fc b/swift_alias.fc
 new file mode 100644
 index 0000000..b7db254
@@ -99350,7 +99392,7 @@ index facdee8..fddb027 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..2a43838 100644
+index f03dcf5..7a02075 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,197 @@
@@ -100286,7 +100328,7 @@ index f03dcf5..2a43838 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +626,276 @@ optional_policy(`
+@@ -746,44 +626,277 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -100323,6 +100365,7 @@ index f03dcf5..2a43838 100644
 -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 +kernel_read_net_sysctls(virt_domain)
++kernel_read_network_state(virt_domain)
  
 -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -100585,7 +100628,7 @@ index f03dcf5..2a43838 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +906,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +907,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -100612,7 +100655,7 @@ index f03dcf5..2a43838 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +926,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +927,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -100646,7 +100689,7 @@ index f03dcf5..2a43838 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +963,20 @@ optional_policy(`
+@@ -856,14 +964,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -100668,7 +100711,7 @@ index f03dcf5..2a43838 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1001,65 @@ optional_policy(`
+@@ -888,49 +1002,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -100752,7 +100795,7 @@ index f03dcf5..2a43838 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1071,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1072,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -100772,7 +100815,7 @@ index f03dcf5..2a43838 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1092,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1093,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -100796,7 +100839,7 @@ index f03dcf5..2a43838 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1117,275 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1118,275 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -101210,7 +101253,7 @@ index f03dcf5..2a43838 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1398,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1399,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -101225,7 +101268,7 @@ index f03dcf5..2a43838 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,9 +1416,8 @@ optional_policy(`
+@@ -1192,9 +1417,8 @@ optional_policy(`
  
  ########################################
  #
@@ -101236,7 +101279,7 @@ index f03dcf5..2a43838 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1430,206 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1431,206 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6aed8b1..3953ed2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 29%{?dist}
+Release: 30%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -580,6 +580,24 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-31
+- Modify xdm_write_home to allow create files/links in /root with xdm_home_t
+- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights
+- Add xserver_dbus_chat() interface
+- Add sysnet_filetrans_named_content_ifconfig() interface
+- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask
+- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1063503
+- Allow lscpu running as rhsmcertd_t to read sysinfo
+- Allow virt domains to read network state
+- Added pcp rules
+- Allow ctdbd to connect own ports
+- Fix samba_export_all_rw booleanto cover also non security dirs
+- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
+- Allow neutron to create /run/netns with correct labeling
+- Allow to run ip cmd in neutron_t domain
+- Allow rpm_script_t to dbus chat also with systemd-located
+- Fix ipa_stream_connect_otpd()
+
 * Tue Mar 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-30
 - Allow block_suspend cap2 for systemd-logind and rw dri device
 - Add labeling for /usr/libexec/nm-libreswan-service