diff --git a/SOURCES/customizable_types b/SOURCES/customizable_types
index 7c71c38..feaea35 100644
--- a/SOURCES/customizable_types
+++ b/SOURCES/customizable_types
@@ -1,7 +1,7 @@
 sandbox_file_t
 svirt_image_t
 svirt_home_t
-svirt_lxc_file_t
+svirt_sandbox_file_t
 virt_content_t
 httpd_user_htaccess_t
 httpd_user_script_exec_t
diff --git a/SOURCES/policy-rhel-7.0.z-base.patch b/SOURCES/policy-rhel-7.0.z-base.patch
new file mode 100644
index 0000000..e229992
--- /dev/null
+++ b/SOURCES/policy-rhel-7.0.z-base.patch
@@ -0,0 +1,471 @@
+diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
+index a99f6e9..ee8e830 100644
+--- a/policy/modules/admin/bootloader.te
++++ b/policy/modules/admin/bootloader.te
+@@ -135,6 +135,7 @@ files_etc_filetrans_etc_runtime(bootloader_t, file)
+ files_dontaudit_search_home(bootloader_t)
+ 
+ 
++init_read_state(bootloader_t)
+ init_getattr_initctl(bootloader_t)
+ init_use_script_ptys(bootloader_t)
+ init_use_script_fds(bootloader_t)
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 17357e5..bb4a6f0 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -34,6 +34,7 @@ kernel_dontaudit_write_kernel_sysctl(dmesg_t)
+ 
+ dev_read_sysfs(dmesg_t)
+ dev_read_kmsg(dmesg_t)
++dev_read_raw_memory(dmesg_t)
+ 
+ fs_search_auto_mountpoints(dmesg_t)
+ 
+@@ -51,6 +52,8 @@ init_use_script_ptys(dmesg_t)
+ logging_send_syslog_msg(dmesg_t)
+ logging_write_generic_logs(dmesg_t)
+ 
++miscfiles_read_hwdata(dmesg_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+ userdom_use_inherited_user_terminals(dmesg_t)
+ 
+diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
+index fc6d1d3..612503a 100644
+--- a/policy/modules/admin/sudo.te
++++ b/policy/modules/admin/sudo.te
+@@ -35,6 +35,7 @@ allow sudodomain self:unix_stream_socket create_stream_socket_perms;
+ allow sudodomain self:unix_dgram_socket sendto;
+ allow sudodomain self:unix_stream_socket connectto;
+ allow sudodomain self:key manage_key_perms;
++allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ kernel_getattr_core_if(sudodomain)
+ kernel_link_key(sudodomain)
+@@ -97,6 +98,10 @@ userdom_search_user_home_content(sudodomain)
+ userdom_search_admin_dir(sudodomain)
+ userdom_manage_all_users_keys(sudodomain)
+ 
++tunable_policy(`authlogin_yubikey',`
++    auth_manage_home_content(sudodomain)
++')
++
+ optional_policy(`
+ 	dbus_system_bus_client(sudodomain)
+ ')
+diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
+index 72e1a41..77dedae 100644
+--- a/policy/modules/kernel/corenetwork.te.in
++++ b/policy/modules/kernel/corenetwork.te.in
+@@ -272,7 +272,7 @@ network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
+ network_port(puppet, tcp, 8140, s0)
+ network_port(pxe, udp,4011,s0)
+ network_port(pyzor, udp,24441,s0)
+-network_port(neutron, tcp,9696,s0)
++network_port(neutron, tcp,9696,s0, tcp,9697,s0)
+ network_port(radacct, udp,1646,s0, udp,1813,s0)
+ network_port(radius, udp,1645,s0, udp,1812,s0)
+ network_port(radsec, tcp,2083,s0)
+@@ -326,6 +326,7 @@ network_port(trisoap, tcp,10200,s0, udp,10200,s0)
+ network_port(ups, tcp,3493,s0)
+ network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
++network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0)
+ network_port(varnishd, tcp,6081-6082,s0)
+ network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+ network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index fb27ae5..d86836b 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -5532,6 +5532,24 @@ interface(`dev_rw_xserver_misc',`
+ 
+ ########################################
+ ## <summary>
++##	Dontaudit attempts to Read and write X server miscellaneous devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_leaked_xserver_misc',`
++	gen_require(`
++		type xserver_misc_device_t;
++	')
++
++	dontaudit $1 xserver_misc_device_t:chr_file { read write };
++')
++
++########################################
++## <summary>
+ ##	Read and write X server miscellaneous devices.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 64d9761..269db99 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -137,9 +137,10 @@ term_use_controlling_term(domain)
+ 
+ # list the root directory
+ files_list_root(domain)
+-# allow all domains to search through default_t directory, since users sometimes
+-# place labels within these directories.  (samba_share_t) for example.
+-files_search_default(domain)
++# allow all domains to search through base_file_type directory, since users 
++# sometimes place labels within these directories.  (samba_share_t) for example.
++files_search_base_file_types(domain)
++
+ files_read_inherited_tmp_files(domain)
+ files_append_inherited_tmp_files(domain)
+ files_read_all_base_ro_files(domain)
+@@ -148,6 +149,10 @@ files_dontaduit_getattr_kernel_symbol_table(domain)
+ # All executables should be able to search the directory they are in
+ corecmd_search_bin(domain)
+ 
++optional_policy(`
++    userdom_search_admin_dir(domain)
++')
++
+ tunable_policy(`domain_kernel_load_modules',`
+ 	kernel_request_load_module(domain)
+ ')
+@@ -419,6 +424,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	sysnet_filetrans_named_content(named_filetrans_domain)
++    sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
+ ')
+ 
+ optional_policy(`
+@@ -429,6 +435,7 @@ optional_policy(`
+ 	systemd_filetrans_named_content(named_filetrans_domain)
+ 	systemd_filetrans_named_hostname(named_filetrans_domain)
+ 	systemd_filetrans_home_content(named_filetrans_domain)
++    systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 2dd815a..8a14ff2 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -982,6 +982,24 @@ interface(`files_relabel_non_security_files',`
+ 
+ ########################################
+ ## <summary>
++##	Search all base file dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_base_file_types',`
++	gen_require(`
++		attribute base_file_type;
++	')
++
++	allow $1 base_file_type:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Relabel all base file types.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
+index 924f856..7b26d12 100644
+--- a/policy/modules/kernel/filesystem.fc
++++ b/policy/modules/kernel/filesystem.fc
+@@ -21,5 +21,5 @@ HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
+ /usr/lib/udev/devices/hugepages/.*	<<none>>
+ /usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
+ /usr/lib/udev/devices/shm/.*	<<none>>
+-/var/run/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
+-/var/run/[^/]*/gvfs/.*	<<none>>
++/var/run/user/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
++/var/run/user/[^/]*/gvfs/.*	<<none>>
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index d6519a1..5a9d307 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -39,6 +39,9 @@ type ssh_keygen_t;
+ type ssh_keygen_exec_t;
+ init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
+ 
++type ssh_keygen_tmp_t;
++files_tmp_file(ssh_keygen_tmp_t)
++
+ type sshd_keygen_t;
+ type sshd_keygen_exec_t;
+ init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
+@@ -468,6 +471,10 @@ manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+ userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+ userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+ 
++manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
++
+ kernel_read_system_state(ssh_keygen_t)
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+ 
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 36fbb93..ed25543 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -1,7 +1,7 @@
+-HOME_DIR/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.yubico(/.*)?				    gen_context(system_u:object_r:auth_home_t,s0)
+ HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
+ HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
+-/root/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.yubico(/.*)?                    gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.google_authenticator~			gen_context(system_u:object_r:auth_home_t,s0)
+ 
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index c74d0d5..42803b7 100644
+--- a/policy/modules/system/authlogin.if
++++ b/policy/modules/system/authlogin.if
+@@ -2232,6 +2232,26 @@ interface(`auth_read_home_content',`
+ 	read_files_pattern($1, auth_home_t, auth_home_t)
+ ')
+ 
++########################################
++## <summary>
++##	Read the authorization data in the user home directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_manage_home_content',`
++	
++	gen_require(`
++		type auth_home_t;
++	')
++
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, auth_home_t, auth_home_t)
++    manage_dirs_pattern($1, auth_home_t, auth_home_t)
++')
+ 
+ ########################################
+ ## <summary>
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 9b993c6..837948b 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -14,7 +14,7 @@ gen_tunable(authlogin_radius, false)
+ 
+ ## <desc>
+ ## <p>
+-## Allow users to login using a yubikey  server
++## Allow users to login using a yubikey OTP server or challenge response mode
+ ## </p>
+ ## </desc>
+ gen_tunable(authlogin_yubikey, false)
+@@ -455,9 +455,29 @@ sysnet_dns_name_resolve(nsswitch_domain)
+ 
+ systemd_hostnamed_read_config(nsswitch_domain)
+ 
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++    allow nsswitch_domain self:tcp_socket create_socket_perms;
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++	corenet_tcp_sendrecv_generic_if(nsswitch_domain)
++	corenet_tcp_sendrecv_generic_node(nsswitch_domain)
++	corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
++	corenet_tcp_connect_ldap_port(nsswitch_domain)
++	corenet_sendrecv_ldap_client_packets(nsswitch_domain)
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++	# Support for LDAPS
++	dev_read_rand(nsswitch_domain)
++	# LDAP Configuration using encrypted requires
++	dev_read_urand(nsswitch_domain)
++	sysnet_read_config(nsswitch_domain)
++')
++
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ 	miscfiles_read_generic_certs(nsswitch_domain)
+-	sysnet_use_ldap(nsswitch_domain)
+ ')
+ 
+ optional_policy(`
+@@ -468,6 +488,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	tunable_policy(`authlogin_nsswitch_use_ldap',`
++        ldap_read_certs(nsswitch_domain)
+ 		ldap_stream_connect(nsswitch_domain)
+ 	')
+ ')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index c983546..d76c572 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -324,6 +324,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	kdump_read_crash(init_t)
++	kdump_read_config(init_t)
+ ')
+ 
+ optional_policy(`
+@@ -484,6 +485,11 @@ ifdef(`distro_redhat',`
+     optional_policy(`
+         rpc_manage_nfs_state_data(init_t)
+     ')
++
++    optional_policy(`
++        sysnet_relabelfrom_dhcpc_state(init_t)
++        sysnet_setattr_dhcp_state(init_t)
++    ')
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
+index 7ca1e9e..5338f4d 100644
+--- a/policy/modules/system/ipsec.te
++++ b/policy/modules/system/ipsec.te
+@@ -93,6 +93,7 @@ allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+ allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
+ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+ read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
++filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets")
+ 
+ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+ read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+@@ -339,6 +340,7 @@ userdom_use_inherited_user_terminals(ipsec_mgmt_t)
+ optional_policy(`
+ 	bind_read_dnssec_keys(ipsec_mgmt_t)
+ 	bind_read_config(ipsec_mgmt_t)
++	bind_read_state(ipsec_mgmt_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
+index 821e74c..50b1c3c 100644
+--- a/policy/modules/system/sysnetwork.if
++++ b/policy/modules/system/sysnetwork.if
+@@ -769,6 +769,26 @@ interface(`sysnet_search_dhcp_state',`
+ 	allow $1 dhcp_state_t:dir search_dir_perms;
+ ')
+ 
++#######################################
++## <summary>
++##	Set the attributes of network config files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_setattr_dhcp_state',`
++	gen_require(`
++		type dhcp_state_t;
++	')
++
++    files_search_var_lib($1)
++	allow $1 dhcp_state_t:file setattr_file_perms;
++')
++
++
+ ########################################
+ ## <summary>
+ ##	Create DHCP state data.
+@@ -881,12 +901,14 @@ interface(`sysnet_use_ldap',`
+ 
+ 	# Support for LDAPS
+ 	dev_read_rand($1)
++	# LDAP Configuration using encrypted requires
+ 	dev_read_urand($1)
+ 
+ 	sysnet_read_config($1)
+ 
+-	# LDAP Configuration using encrypted requires
+-	dev_read_urand($1)
++	optional_policy(`
++		ldap_read_certs($1)
++	')
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 28f16ce..f94755e 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -320,6 +320,7 @@ allow ifconfig_t self:tcp_socket { create ioctl };
+ can_exec(ifconfig_t, ifconfig_exec_t)
+ 
+ manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+ create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
+ files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
+ allow ifconfig_t ifconfig_var_run_t:file mounton;
+@@ -346,6 +347,7 @@ dev_mount_sysfs_fs(ifconfig_t)
+ dev_unmount_sysfs_fs(ifconfig_t)
+ 
+ domain_use_interactive_fds(ifconfig_t)
++domain_read_all_domains_state(ifconfig_t)
+ 
+ read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+ 
+@@ -384,10 +386,15 @@ logging_send_syslog_msg(ifconfig_t)
+ seutil_use_runinit_fds(ifconfig_t)
+ 
+ sysnet_dns_name_resolve(ifconfig_t)
++sysnet_filetrans_named_content_ifconfig(ifconfig_t)
+ 
+ userdom_use_inherited_user_terminals(ifconfig_t)
+ userdom_use_all_users_fds(ifconfig_t)
+ 
++optional_policy(`
++	hostname_exec(ifconfig_t)
++')
++
+ ifdef(`distro_ubuntu',`
+ 	optional_policy(`
+ 		unconfined_domain(ifconfig_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 8bca1d7..24b2af3 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -369,6 +369,24 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`
+ 
+ ######################################
+ ## <summary>
++##	Dontaudit attempts to write inherited logind sessions pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
++	gen_require(`
++		type systemd_logind_sessions_t;
++	')
++
++	dontaudit $1 systemd_logind_sessions_t:fifo_file write;
++')
++
++######################################
++## <summary>
+ ##	Write systemd inhibit pipes.
+ ## </summary>
+ ## <param name="domain">
diff --git a/SOURCES/policy-rhel-7.0.z-contrib.patch b/SOURCES/policy-rhel-7.0.z-contrib.patch
new file mode 100644
index 0000000..2c39572
--- /dev/null
+++ b/SOURCES/policy-rhel-7.0.z-contrib.patch
@@ -0,0 +1,2228 @@
+diff --git a/aiccu.te b/aiccu.te
+index 6e4206c..a9039ce 100644
+--- a/aiccu.te
++++ b/aiccu.te
+@@ -69,6 +69,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    pcscd_stream_connect(aiccu_t)
++')
++
++optional_policy(`
+ 	sysnet_dns_name_resolve(aiccu_t)
+ 	sysnet_domtrans_ifconfig(aiccu_t)
+ ')
+diff --git a/antivirus.te b/antivirus.te
+index 8ba9c95..83590aa 100644
+--- a/antivirus.te
++++ b/antivirus.te
+@@ -37,7 +37,7 @@ typealias antivirus_unit_file_t alias { clamd_unit_file_t };
+ systemd_unit_file(antivirus_unit_file_t)
+ 
+ type antivirus_conf_t;
+-typealias antivirus_conf_t alias { clamd_etc_t };
++typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+ files_config_file(antivirus_conf_t)
+ 
+ type antivirus_var_run_t;
+@@ -166,6 +166,7 @@ dev_read_urand(antivirus_domain)
+ 
+ domain_dontaudit_read_all_domains_state(antivirus_domain)
+ 
++files_dontaudit_read_security_files(antivirus_domain)
+ files_read_etc_runtime_files(antivirus_domain)
+ files_search_spool(antivirus_domain)
+ 
+@@ -190,8 +191,6 @@ userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+ 
+ tunable_policy(`antivirus_can_scan_system',`
+ 	files_read_non_security_files(antivirus_domain)
+-    #files_dontaudit_read_all_non_security_files(antivirus_domain)
+-    files_dontaudit_read_security_files(antivirus_domain)
+ 	files_getattr_all_pipes(antivirus_domain)
+ 	files_getattr_all_sockets(antivirus_domain)
+     dev_getattr_all_blk_files(antivirus_domain)
+diff --git a/apache.fc b/apache.fc
+index 43bb1c9..b903cc0 100644
+--- a/apache.fc
++++ b/apache.fc
+@@ -133,6 +133,7 @@ ifdef(`distro_suse', `
+ /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/horizon(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+diff --git a/apache.if b/apache.if
+index 64beed7..9426db5 100644
+--- a/apache.if
++++ b/apache.if
+@@ -74,6 +74,8 @@ template(`apache_content_template',`
+ 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ 
++    allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };
++
+ 	# Allow the web server to run scripts and serve pages
+ 	tunable_policy(`httpd_builtin_scripting',`
+ 		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+diff --git a/apache.te b/apache.te
+index 21d7195..bce7760 100644
+--- a/apache.te
++++ b/apache.te
+@@ -474,7 +474,7 @@ role system_r types httpd_passwd_t;
+ # Apache server local policy
+ #
+ 
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+ dontaudit httpd_t self:capability { net_admin sys_tty_config };
+ allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow httpd_t self:fd use;
+@@ -510,6 +510,7 @@ allow httpd_t httpd_log_t:dir setattr;
+ create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ # cjp: need to refine create interfaces to
+@@ -1035,6 +1036,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	passenger_exec(httpd_t)
++	passenger_kill(httpd_t)
+ 	passenger_manage_pid_content(httpd_t)
+ ')
+ 
+@@ -1649,7 +1651,7 @@ allow httpd_t httpd_script_type:unix_stream_socket connectto;
+ 
+ allow httpd_t httpd_script_exec_type:file read_file_perms;
+ allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+-allow httpd_t httpd_script_type:process { signal sigkill sigstop };
++allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+ allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ 
+ allow httpd_script_type self:process { setsched signal_perms };
+@@ -1660,6 +1662,7 @@ allow httpd_script_type httpd_t:fd use;
+ allow httpd_script_type httpd_t:process sigchld;
+ 
+ dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
+ 
+ fs_getattr_xattr_fs(httpd_script_type)
+ 
+diff --git a/apcupsd.te b/apcupsd.te
+index a370cb8..5206035 100644
+--- a/apcupsd.te
++++ b/apcupsd.te
+@@ -82,6 +82,8 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+ 
+ dev_rw_generic_usb_dev(apcupsd_t)
+ 
++domain_signull_all_domains(apcupsd_t)
++
+ files_manage_etc_runtime_files(apcupsd_t)
+ files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
+ 
+diff --git a/automount.te b/automount.te
+index f27656d..11dbe9d 100644
+--- a/automount.te
++++ b/automount.te
+@@ -89,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+ 
+ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
++files_getattr_all_files(automount_t)
+ files_getattr_default_dirs(automount_t)
+ files_getattr_home_dir(automount_t)
+ files_getattr_isid_type_dirs(automount_t)
+diff --git a/bind.if b/bind.if
+index 6c2dbe4..43b445c 100644
+--- a/bind.if
++++ b/bind.if
+@@ -408,6 +408,25 @@ interface(`bind_udp_chat_named',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the domain to read bind state files in /proc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bind_read_state',`
++	gen_require(`
++		type named_t;
++	')
++
++	kernel_search_proc($1)
++	ps_process_pattern($1, named_t)
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to
+ ##	administrate an bind environment.
+ ## </summary>
+diff --git a/chronyd.te b/chronyd.te
+index 7d723c0..d0c8001 100644
+--- a/chronyd.te
++++ b/chronyd.te
+@@ -87,6 +87,7 @@ domain_dontaudit_getsession_all_domains(chronyd_t)
+ 
+ dev_read_rand(chronyd_t)
+ dev_read_urand(chronyd_t)
++dev_read_sysfs(chronyd_t)
+ 
+ dev_rw_realtime_clock(chronyd_t)
+ 
+diff --git a/cloudform.te b/cloudform.te
+index 786d623..496ce03 100644
+--- a/cloudform.te
++++ b/cloudform.te
+@@ -270,8 +270,9 @@ files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
+ 
+ manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+ manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+ #needed by dbomatic
+-files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
+ 
+ corecmd_exec_bin(mongod_t)
+ corecmd_exec_shell(mongod_t)
+diff --git a/conman.te b/conman.te
+index 0de2d4d..d6b0314 100644
+--- a/conman.te
++++ b/conman.te
+@@ -25,7 +25,7 @@ allow conman_t self:process { setrlimit signal_perms };
+ 
+ allow conman_t self:fifo_file rw_fifo_file_perms;
+ allow conman_t self:unix_stream_socket create_stream_socket_perms;
+-allow conman_t self:tcp_socket { listen create_socket_perms };
++allow conman_t self:tcp_socket { accept listen create_socket_perms };
+ 
+ manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+ manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+@@ -40,6 +40,10 @@ auth_read_passwd(conman_t)
+ 
+ logging_send_syslog_msg(conman_t)
+ 
++sysnet_dns_name_resolve(conman_t)
++
++userdom_use_user_ptys(conman_t)
++
+ optional_policy(`
+     freeipmi_stream_connect(conman_t)
+ ')
+diff --git a/cups.fc b/cups.fc
+index afe482b..9437dbe 100644
+--- a/cups.fc
++++ b/cups.fc
+@@ -76,10 +76,14 @@
+ /var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+ /var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ 
++/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /usr/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+ /usr/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /usr/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
+ 
+ /usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ 
+diff --git a/dhcp.te b/dhcp.te
+index cdb4d60..5d61f10 100644
+--- a/dhcp.te
++++ b/dhcp.te
+@@ -103,13 +103,26 @@ auth_use_nsswitch(dhcpd_t)
+ 
+ logging_send_syslog_msg(dhcpd_t)
+ 
++sysnet_read_config(dhcpd_t)
+ sysnet_read_dhcp_config(dhcpd_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
+ userdom_dontaudit_search_user_home_dirs(dhcpd_t)
+ 
+ tunable_policy(`dhcpd_use_ldap',`
+-	sysnet_use_ldap(dhcpd_t)
++    allow dhcpd_t self:tcp_socket create_socket_perms;
++')
++
++tunable_policy(`dhcpd_use_ldap',`
++    corenet_tcp_sendrecv_generic_if(dhcpd_t)
++    corenet_tcp_sendrecv_generic_node(dhcpd_t)
++    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
++    corenet_tcp_connect_ldap_port(dhcpd_t)
++    corenet_sendrecv_ldap_client_packets(dhcpd_t)
++')
++
++tunable_policy(`dhcpd_use_ldap',`
++	ldap_read_certs(dhcpd_t)
+ ')
+ 
+ ifdef(`distro_gentoo',`
+diff --git a/docker.te b/docker.te
+index c80e06c..73e71c1 100644
+--- a/docker.te
++++ b/docker.te
+@@ -97,6 +97,7 @@ manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+ manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+ manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+ manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
++allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
+ files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
+ 
+ manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+@@ -135,12 +136,14 @@ files_read_etc_files(docker_t)
+ 
+ fs_read_cgroup_files(docker_t)
+ fs_read_tmpfs_symlinks(docker_t)
++fs_getattr_all_fs(docker_t)
+ 
+ storage_raw_rw_fixed_disk(docker_t)
+ 
+ auth_use_nsswitch(docker_t)
+ 
+ init_read_state(docker_t)
++init_status(docker_t)
+ 
+ logging_send_audit_msgs(docker_t)
+ logging_send_syslog_msg(docker_t)
+@@ -220,6 +223,12 @@ term_mounton_unallocated_ttys(docker_t)
+ 
+ modutils_domtrans_insmod(docker_t)
+ 
++systemd_status_all_unit_files(docker_t)
++systemd_start_systemd_services(docker_t)
++
++userdom_stream_connect(docker_t)
++userdom_search_user_home_content(docker_t)
++
+ optional_policy(`
+ 	dbus_system_bus_client(docker_t)
+ 	init_dbus_chat(docker_t)
+diff --git a/drbd.fc b/drbd.fc
+index 671a3fb..c781675 100644
+--- a/drbd.fc
++++ b/drbd.fc
+@@ -3,7 +3,7 @@
+ /sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ /sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ 
+-/usr/lib/ocf/resource.\d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
++/usr/lib/ocf/resource\.d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ 
+ /usr/sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ /usr/sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+diff --git a/exim.fc b/exim.fc
+index dc0254b..9df498d 100644
+--- a/exim.fc
++++ b/exim.fc
+@@ -3,6 +3,8 @@
+ /usr/sbin/exim[0-9]?	--	gen_context(system_u:object_r:exim_exec_t,s0)
+ /usr/sbin/exim_tidydb	--	gen_context(system_u:object_r:exim_exec_t,s0)
+ 
++/var/lib/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_lib_t,s0)
++
+ /var/log/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_log_t,s0)
+ 
+ /var/run/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_run_t,s0)
+diff --git a/exim.if b/exim.if
+index ef3b449..4a8d053 100644
+--- a/exim.if
++++ b/exim.if
+@@ -241,8 +241,46 @@ interface(`exim_manage_spool_files',`
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to administrate
+-##	an exim environment.
++##	Read exim var lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_read_var_lib_files',`
++	gen_require(`
++		type exim_var_lib_t;
++	')
++
++	read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Create, read, and write exim var lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_manage_var_lib_files',`
++	gen_require(`
++		type exim_var_lib_t;
++	')
++
++	manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	All of the rules required to
++##	administrate an exim environment.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -257,8 +295,9 @@ interface(`exim_manage_spool_files',`
+ #
+ interface(`exim_admin',`
+ 	gen_require(`
+-		type exim_t, exim_initrc_exec_t, exim_log_t;
+-		type exim_tmp_t, exim_spool_t, exim_var_run_t;
++		type exim_t, exim_spool_t, exim_log_t;
++		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++		type exim_keytab_t;
+ 	')
+ 
+ 	allow $1 exim_t:process signal_perms;
+@@ -273,6 +312,9 @@ interface(`exim_admin',`
+ 	role_transition $2 exim_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, exim_keytab_t)
++
+ 	files_search_spool($1)
+ 	admin_pattern($1, exim_spool_t)
+ 
+diff --git a/exim.te b/exim.te
+index 3e86b12..5495c90 100644
+--- a/exim.te
++++ b/exim.te
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.5.4)
++policy_module(exim, 1.6.1)
+ 
+ ########################################
+ #
+@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
+ type exim_initrc_exec_t;
+ init_script_file(exim_initrc_exec_t)
+ 
++type exim_var_lib_t;
++files_type(exim_var_lib_t)
++
+ type exim_log_t;
+ logging_log_file(exim_log_t)
+ 
+@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
+ type exim_var_run_t;
+ files_pid_file(exim_var_run_t)
+ 
++ifdef(`distro_debian',`
++	init_daemon_run_dir(exim_var_run_t, "exim4")
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+ allow exim_t self:tcp_socket { accept listen };
+ 
++manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
++
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -88,6 +97,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
+ 
+ can_exec(exim_t, exim_exec_t)
+ 
++kernel_read_crypto_sysctls(exim_t)
+ kernel_read_kernel_sysctls(exim_t)
+ kernel_read_network_state(exim_t)
+ kernel_read_system_state(exim_t)
+@@ -122,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
+ 
+ dev_read_rand(exim_t)
+ dev_read_urand(exim_t)
++dev_read_sysfs(exim_t)
+ 
+ domain_use_interactive_fds(exim_t)
+ 
+@@ -134,6 +145,7 @@ fs_getattr_xattr_fs(exim_t)
+ fs_list_inotifyfs(exim_t)
+ 
+ auth_use_nsswitch(exim_t)
++auth_domtrans_chk_passwd(exim_t)
+ 
+ logging_send_syslog_msg(exim_t)
+ 
+@@ -175,6 +187,7 @@ optional_policy(`
+ optional_policy(`
+ 	cron_read_pipes(exim_t)
+ 	cron_rw_system_job_pipes(exim_t)
++	cron_use_system_job_fds(exim_t)
+ ')
+ 
+ optional_policy(`
+@@ -186,7 +199,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(exim, exim_t)
++    kerberos_keytab_template(exim, exim_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/fprintd.te b/fprintd.te
+index ed04b9e..72b7712 100644
+--- a/fprintd.te
++++ b/fprintd.te
+@@ -33,6 +33,8 @@ dev_read_sysfs(fprintd_t)
+ dev_read_urand(fprintd_t)
+ dev_rw_generic_usb_dev(fprintd_t)
+ 
++files_dontaudit_list_tmp(fprintd_t)
++
+ fs_getattr_all_fs(fprintd_t)
+ 
+ auth_use_nsswitch(fprintd_t)
+diff --git a/freeipmi.te b/freeipmi.te
+index 8071a76..0710d79 100644
+--- a/freeipmi.te
++++ b/freeipmi.te
+@@ -40,6 +40,7 @@ files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+ 
+ dev_read_rand(freeipmi_domain)
+ dev_read_urand(freeipmi_domain)
++dev_rw_ipmi_dev(freeipmi_domain)
+ 
+ sysnet_dns_name_resolve(freeipmi_domain)
+ 
+@@ -50,7 +51,6 @@ sysnet_dns_name_resolve(freeipmi_domain)
+ 
+ files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+ 
+-dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
+ 
+ allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+ 
+diff --git a/gear.fc b/gear.fc
+index 5eabf35..98c012c 100644
+--- a/gear.fc
++++ b/gear.fc
+@@ -1,7 +1,7 @@
+ /usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)
+ 
+-/usr/lib/systemd/system/gear.service		--	gen_context(system_u:object_r:gear_unit_file_t,s0)
+-
+-/var/lib/containers/bin/gear	--	gen_context(system_u:object_r:gear_exec_t,s0)
++/usr/lib/systemd/system/gear.service	--	gen_context(system_u:object_r:gear_unit_file_t,s0)
+ 
++/var/lib/containers(/.*)?			gen_context(system_u:object_r:gear_var_lib_t,s0)
++/var/lib/containers/units(/.*)?			gen_context(system_u:object_r:gear_unit_file_t,s0)
+ /var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)
+diff --git a/gear.te b/gear.te
+index 6c32f79..cb68ca9 100644
+--- a/gear.te
++++ b/gear.te
+@@ -25,11 +25,15 @@ systemd_unit_file(gear_unit_file_t)
+ #
+ # gear local policy
+ #
++allow gear_t self:capability { chown net_admin fowner dac_override };
++allow gear_t self:capability2 block_suspend;
+ allow gear_t self:process { getattr signal_perms };
+ allow gear_t self:fifo_file rw_fifo_file_perms;
+ allow gear_t self:unix_stream_socket create_stream_socket_perms;
+ allow gear_t self:tcp_socket create_stream_socket_perms;
+ 
++allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
++
+ manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+ manage_files_pattern(gear_t, gear_log_t, gear_log_t)
+ manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
+@@ -43,6 +47,7 @@ manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+ manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+ manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+ files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
++allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
+ 
+ manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+ manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+@@ -56,6 +61,7 @@ kernel_read_all_sysctls(gear_t)
+ kernel_rw_net_sysctls(gear_t)
+ 
+ domain_use_interactive_fds(gear_t)
++domain_read_all_domains_state(gear_t)
+ 
+ corecmd_exec_bin(gear_t)
+ corecmd_exec_shell(gear_t)
+@@ -66,6 +72,11 @@ corenet_tcp_sendrecv_generic_node(gear_t)
+ corenet_tcp_sendrecv_generic_port(gear_t)
+ corenet_tcp_bind_gear_port(gear_t)
+ 
++dev_mounton_sysfs(gear_t)
++dev_mount_sysfs_fs(gear_t)
++dev_unmount_sysfs_fs(gear_t)
++
++files_mounton_rootfs(gear_t)
+ files_read_etc_files(gear_t)
+ 
+ fs_read_cgroup_files(gear_t)
+@@ -75,6 +86,9 @@ auth_use_nsswitch(gear_t)
+ 
+ init_read_state(gear_t)
+ init_dbus_chat(gear_t)
++init_enable_services(gear_t)
++
++iptables_domtrans(gear_t)
+ 
+ logging_send_audit_msgs(gear_t)
+ logging_send_syslog_msg(gear_t)
+@@ -87,8 +101,25 @@ seutil_read_default_contexts(gear_t)
+ 
+ sysnet_dns_name_resolve(gear_t)
+ 
++sysnet_exec_ifconfig(gear_t)
++sysnet_manage_ifconfig_run(gear_t)
++
+ systemd_manage_all_unit_files(gear_t)
+ 
+ optional_policy(`
++	hostname_exec(gear_t)
++')
++
++optional_policy(`
++	dbus_system_bus_client(gear_t)
++')
++
++optional_policy(`
+ 	docker_stream_connect(gear_t)
+ ')
++
++optional_policy(`
++	openshift_manage_lib_dirs(gear_t)
++	openshift_manage_lib_files(gear_t)
++	openshift_relabelfrom_lib(gear_t)
++')
+diff --git a/glance.te b/glance.te
+index 16dcb5b..2d17fe6 100644
+--- a/glance.te
++++ b/glance.te
+@@ -5,6 +5,13 @@ policy_module(glance, 1.0.2)
+ # Declarations
+ #
+ 
++## <desc>
++## <p>
++## Allow glance domain to manage fuse files
++## </p>
++## </desc>
++gen_tunable(glance_use_fusefs, false)
++
+ attribute glance_domain;
+ 
+ glance_basic_types_template(glance_registry)
+@@ -77,6 +84,19 @@ libs_exec_ldconfig(glance_domain)
+ 
+ sysnet_dns_name_resolve(glance_domain)
+ 
++tunable_policy(`glance_use_fusefs',`
++	fs_manage_fusefs_dirs(glance_domain)
++	fs_manage_fusefs_files(glance_domain)
++	fs_read_fusefs_symlinks(glance_domain)
++	fs_getattr_fusefs(glance_domain)
++')
++
++
++
++optional_policy(`
++    mysql_read_db_lnk_files(glance_domain)
++')
++
+ ########################################
+ #
+ # Registry local policy
+@@ -122,6 +142,8 @@ corenet_tcp_connect_mysqld_port(glance_api_t)
+ corenet_tcp_connect_http_port(glance_api_t)
+ 
+ corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
++corenet_tcp_connect_commplex_main_port(glance_api_t)
++corenet_tcp_connect_http_cache_port(glance_api_t)
+ 
+ corenet_sendrecv_hplip_server_packets(glance_api_t)
+ corenet_tcp_bind_hplip_port(glance_api_t)
+diff --git a/gnome.te b/gnome.te
+index 5314f96..ea1115c 100644
+--- a/gnome.te
++++ b/gnome.te
+@@ -226,7 +226,6 @@ allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
+ filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+-filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
+ 
+ manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+ manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+diff --git a/iscsi.if b/iscsi.if
+index 2ea1241..a7e1562 100644
+--- a/iscsi.if
++++ b/iscsi.if
+@@ -117,6 +117,28 @@ interface(`iscsi_filetrans_named_content',`
+     files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
+ ')
+ 
++########################################
++## <summary>
++##     Execute iscsi server in the iscsi domain.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed to transition.
++##     </summary>
++## </param>
++#
++interface(`iscsi_systemctl',`
++       gen_require(`
++               type iscsid_t;
++               type iscsi_unit_file_t;
++       ')
++
++       systemd_exec_systemctl($1)
++       allow $1 iscsi_unit_file_t:file read_file_perms;
++       allow $1 iscsi_unit_file_t:service manage_service_perms;
++
++       ps_process_pattern($1, iscsid_t)
++')
+ 
+ ########################################
+ ## <summary>
+diff --git a/iscsi.te b/iscsi.te
+index 56d45ec..b25cfd0 100644
+--- a/iscsi.te
++++ b/iscsi.te
+@@ -90,6 +90,9 @@ corenet_sendrecv_winshadow_client_packets(iscsid_t)
+ corenet_tcp_connect_winshadow_port(iscsid_t)
+ corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+ 
++corecmd_exec_bin(iscsid_t)
++corecmd_exec_shell(iscsid_t)
++
+ dev_read_urand(iscsid_t)
+ dev_rw_sysfs(iscsid_t)
+ dev_rw_userio_dev(iscsid_t)
+@@ -108,5 +111,9 @@ logging_send_syslog_msg(iscsid_t)
+ modutils_read_module_config(iscsid_t)
+ 
+ optional_policy(`
++    iscsi_systemctl(iscsid_t)
++')
++
++optional_policy(`
+ 	tgtd_manage_semaphores(iscsid_t)
+ ')
+diff --git a/keepalived.te b/keepalived.te
+index 535f79b..dc5c775 100644
+--- a/keepalived.te
++++ b/keepalived.te
+@@ -33,6 +33,9 @@ files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
+ kernel_read_system_state(keepalived_t)
+ kernel_read_network_state(keepalived_t)
+ 
++corecmd_exec_bin(keepalived_t)
++corecmd_exec_shell(keepalived_t)
++
+ auth_use_nsswitch(keepalived_t)
+ 
+ corenet_tcp_connect_connlcli_port(keepalived_t)
+diff --git a/keystone.te b/keystone.te
+index a82637c..c21beab 100644
+--- a/keystone.te
++++ b/keystone.te
+@@ -78,6 +78,7 @@ libs_exec_ldconfig(keystone_t)
+ optional_policy(`
+ 	mysql_stream_connect(keystone_t)
+ 	mysql_tcp_connect(keystone_t)
++    mysql_read_db_lnk_files(keystone_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/logrotate.te b/logrotate.te
+index f8c5464..17ea89c 100644
+--- a/logrotate.te
++++ b/logrotate.te
+@@ -38,7 +38,7 @@ files_type(logrotate_var_lib_t)
+ 
+ # Change ownership on log files.
+ allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+-dontaudit logrotate_t self:capability sys_resource;
++dontaudit logrotate_t self:capability { sys_resource net_admin };
+ 
+ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 
+diff --git a/logwatch.te b/logwatch.te
+index 7569cd9..aea48db 100644
+--- a/logwatch.te
++++ b/logwatch.te
+@@ -187,6 +187,8 @@ dev_read_sysfs(logwatch_mail_t)
+ logging_read_all_logs(logwatch_mail_t)
+ 
+ mta_read_home(logwatch_mail_t)
++mta_filetrans_home_content(logwatch_mail_t)
++mta_filetrans_admin_home_content(logwatch_mail_t)
+ 
+ optional_policy(`
+ 	cron_use_system_job_fds(logwatch_mail_t)
+diff --git a/mock.if b/mock.if
+index 6568bfe..f5b98e6 100644
+--- a/mock.if
++++ b/mock.if
+@@ -53,6 +53,7 @@ interface(`mock_read_lib_files',`
+ 	')
+ 
+ 	files_search_var_lib($1)
++    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+ 	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+ ')
+ 
+diff --git a/mock.te b/mock.te
+index fc64201..1bf717f 100644
+--- a/mock.te
++++ b/mock.te
+@@ -192,7 +192,7 @@ optional_policy(`
+ #
+ # mock_build local policy
+ #
+-allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
+ dontaudit mock_build_t self:capability audit_write;
+ allow mock_build_t self:process { fork setsched setpgid signal_perms };
+ allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+@@ -269,6 +269,7 @@ init_dontaudit_stream_connect(mock_build_t)
+ 
+ libs_exec_ldconfig(mock_build_t)
+ 
++term_use_all_inherited_terms(mock_build_t)
+ userdom_use_inherited_user_ptys(mock_build_t)
+ 
+ tunable_policy(`mock_enable_homedirs',`
+diff --git a/motion.te b/motion.te
+index b694afc..c7f4eb5 100644
+--- a/motion.te
++++ b/motion.te
+@@ -26,7 +26,7 @@ files_type(motion_data_t)
+ # motion local policy
+ #
+ allow motion_t self:udp_socket { create connect getattr };
+-allow motion_t self:tcp_socket { bind create setopt listen };
++allow motion_t self:tcp_socket create_stream_socket_perms;
+ allow motion_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
+@@ -43,6 +43,7 @@ files_var_filetrans(motion_t, motion_data_t, { dir file })
+ 
+ corenet_tcp_bind_http_cache_port(motion_t)
+ corenet_tcp_bind_transproxy_port(motion_t)
++corenet_tcp_bind_us_cli_port(motion_t)
+ corenet_tcp_connect_http_port(motion_t)
+ corenet_tcp_bind_generic_node(motion_t)
+ 
+diff --git a/mozilla.te b/mozilla.te
+index e76899c..a4f86f5 100644
+--- a/mozilla.te
++++ b/mozilla.te
+@@ -442,6 +442,7 @@ dev_dontaudit_read_mtrr(mozilla_plugin_t)
+ xserver_dri_domain(mozilla_plugin_t)
+ 
+ dev_dontaudit_getattr_all(mozilla_plugin_t)
++dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
+ 
+ domain_use_interactive_fds(mozilla_plugin_t)
+ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -458,6 +459,10 @@ fs_read_noxattr_fs_files(mozilla_plugin_t)
+ fs_read_hugetlbfs_files(mozilla_plugin_t)
+ fs_exec_hugetlbfs_files(mozilla_plugin_t)
+ 
++storage_raw_read_removable_device(mozilla_plugin_t)
++fs_read_removable_files(mozilla_plugin_t)
++fs_read_removable_symlinks(mozilla_plugin_t)
++
+ application_exec(mozilla_plugin_t)
+ application_dontaudit_signull(mozilla_plugin_t)
+ 
+diff --git a/mta.fc b/mta.fc
+index cb2791a..1e1a679 100644
+--- a/mta.fc
++++ b/mta.fc
+@@ -1,7 +1,7 @@
+-HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
+ HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
+ HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
+ HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/\.esmtp_queue(/.*)?    gen_context(system_u:object_r:mail_home_rw_t,s0)
+ HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+ HOME_DIR/.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+ 
+@@ -17,10 +17,10 @@ ifdef(`distro_redhat',`
+ /etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
+ ')
+ 
+-/root/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
+ /root/\.forward		--	gen_context(system_u:object_r:mail_home_t,s0)
+ /root/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
+ /root/\.mailrc		--	gen_context(system_u:object_r:mail_home_t,s0)
++/root/\.esmtp_queue(/.*)?     gen_context(system_u:object_r:mail_home_rw_t,s0)
+ /root/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+ 
+ /usr/bin/esmtp		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
+@@ -42,3 +42,4 @@ ifdef(`distro_redhat',`
+ /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
++/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
+diff --git a/mta.if b/mta.if
+index e968c28..8f217ea 100644
+--- a/mta.if
++++ b/mta.if
+@@ -1174,6 +1174,7 @@ interface(`mta_filetrans_admin_home_content',`
+ 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+ ')
+ 
+ ########################################
+@@ -1198,6 +1199,7 @@ interface(`mta_filetrans_home_content',`
+ 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+ 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
++	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+ ')
+ 
+ ########################################
+diff --git a/mysql.if b/mysql.if
+index 404ed6d..a77dc09 100644
+--- a/mysql.if
++++ b/mysql.if
+@@ -233,6 +233,24 @@ interface(`mysql_append_db_files',`
+ 	files_search_var_lib($1)
+ 	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+ ')
++#######################################
++## <summary>
++##	Read and write to the MySQL database directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mysql_read_db_lnk_files',`
++	gen_require(`
++		type mysqld_db_t;
++	')
++
++	files_search_var_lib($1)
++    read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
++')
+ 
+ #######################################
+ ## <summary>
+diff --git a/mysql.te b/mysql.te
+index 699587e..6e73360 100644
+--- a/mysql.te
++++ b/mysql.te
+@@ -132,6 +132,7 @@ auth_use_nsswitch(mysqld_t)
+ logging_send_syslog_msg(mysqld_t)
+ 
+ sysnet_read_config(mysqld_t)
++sysnet_exec_ifconfig(mysqld_t)
+ 
+ ifdef(`distro_redhat',`
+ 	filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+diff --git a/nova.te b/nova.te
+index d5b54e5..2d9ab86 100644
+--- a/nova.te
++++ b/nova.te
+@@ -46,6 +46,7 @@ files_pid_file(nova_var_run_t)
+ # nova general domain local policy
+ #
+ 
++allow nova_domain self:process signal_perms;
+ allow nova_domain self:fifo_file rw_fifo_file_perms;
+ allow nova_domain self:tcp_socket create_stream_socket_perms;
+ allow nova_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -76,6 +77,11 @@ fs_getattr_xattr_fs(nova_domain)
+ libs_exec_ldconfig(nova_domain)
+ 
+ optional_policy(`
++    mysql_stream_connect(nova_domain)
++    mysql_read_db_lnk_files(nova_domain)
++')
++
++optional_policy(`
+ 	sysnet_read_config(nova_domain)
+ 	sysnet_exec_ifconfig(nova_domain)
+ ')
+@@ -142,10 +148,6 @@ auth_use_nsswitch(nova_cert_t)
+ miscfiles_read_certs(nova_cert_t)
+ 
+ optional_policy(`
+-	mysql_stream_connect(nova_cert_t)
+-')
+-
+-optional_policy(`
+ 	postgresql_stream_connect(nova_cert_t)
+ ')
+ 
+@@ -176,10 +178,6 @@ allow nova_console_t self:udp_socket create_socket_perms;
+ 
+ auth_use_nsswitch(nova_console_t)
+ 
+-optional_policy(`
+-    mysql_stream_connect(nova_console_t)
+-')
+-
+ #######################################
+ #
+ # nova direct local policy
+@@ -270,6 +268,8 @@ optional_policy(`
+ allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+ allow nova_scheduler_t self:udp_socket create_socket_perms;
+ 
++auth_read_passwd(nova_scheduler_t)
++
+ #optional_policy(`
+ #	unconfined_domain(nova_scheduler_t)
+ #')
+diff --git a/openshift.fc b/openshift.fc
+index 1d4e039..95b6381 100644
+--- a/openshift.fc
++++ b/openshift.fc
+@@ -5,7 +5,7 @@
+ 
+ /var/lib/stickshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
+ /var/lib/stickshift/.*/data(/.*)?	       gen_context(system_u:object_r:openshift_rw_file_t,s0)
+-/var/lib/containers(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/containers/home(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
+ /var/lib/openshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
+ /var/lib/openshift/.*/data(/.*)?          gen_context(system_u:object_r:openshift_rw_file_t,s0)
+ 
+diff --git a/openshift.if b/openshift.if
+index 9451b83..a472b52 100644
+--- a/openshift.if
++++ b/openshift.if
+@@ -362,6 +362,26 @@ interface(`openshift_manage_content',`
+ 	manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
+ ')
+ 
++########################################
++## <summary>
++##	Relabel openshift library files 
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`openshift_relabelfrom_lib',`
++	gen_require(`
++		type openshift_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++	relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
+ #######################################
+ ## <summary>
+ ##	Create private objects in the
+@@ -416,7 +436,6 @@ interface(`openshift_read_pid_files',`
+ 	allow $1 openshift_var_run_t:file read_file_perms;
+ ')
+ 
+-
+ ########################################
+ ## <summary>
+ ##	All of the rules required to administrate
+diff --git a/openshift.te b/openshift.te
+index ebd0c68..93fd0ea 100644
+--- a/openshift.te
++++ b/openshift.te
+@@ -321,6 +321,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	gear_search_lib(openshift_domain)
++')
++
++optional_policy(`
+ 	gpg_entry_type(openshift_domain)
+ ')
+ 
+diff --git a/openvpn.te b/openvpn.te
+index 265896b..fcda1bc 100644
+--- a/openvpn.te
++++ b/openvpn.te
+@@ -26,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
+ ##  connect to the TCP network.
+ ##  </p>
+ ## </desc>
+-gen_tunable(openvpn_can_network_connect, false)
++gen_tunable(openvpn_can_network_connect, true)
+ 
+ attribute_role openvpn_roles;
+ 
+diff --git a/openwsman.te b/openwsman.te
+index 49dc5ef..3bcd32c 100644
+--- a/openwsman.te
++++ b/openwsman.te
+@@ -9,6 +9,12 @@ type openwsman_t;
+ type openwsman_exec_t;
+ init_daemon_domain(openwsman_t, openwsman_exec_t)
+ 
++type openwsman_tmp_t;
++files_tmp_file(openwsman_tmp_t)
++
++type openwsman_tmpfs_t;
++files_tmpfs_file(openwsman_tmpfs_t)
++
+ type openwsman_log_t;
+ logging_log_file(openwsman_log_t)
+ 
+@@ -22,10 +28,21 @@ systemd_unit_file(openwsman_unit_file_t)
+ #
+ # openwsman local policy
+ #
++
++allow openwsman_t self:capability setuid;
++
+ allow openwsman_t self:process { fork };
+ allow openwsman_t self:fifo_file rw_fifo_file_perms;
+ allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+-allow openwsman_t self:tcp_socket { create_socket_perms listen };
++allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
++
++manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
++manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
++files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
++
++manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
++manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
++fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
+ 
+ manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+ logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+@@ -34,10 +51,24 @@ manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
+ files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+ 
+ auth_use_nsswitch(openwsman_t)
++auth_domtrans_chkpwd(openwsman_t)
+ 
++corenet_tcp_connect_pegasus_https_port(openwsman_t)
+ corenet_tcp_bind_vnc_port(openwsman_t)
++corenet_tcp_bind_http_port(openwsman_t)
+ 
+ dev_read_urand(openwsman_t)
+ 
+ logging_send_syslog_msg(openwsman_t)
++logging_send_audit_msgs(openwsman_t)
++
++optional_policy(`
++    sblim_stream_connect_sfcbd(openwsman_t)
++    sblim_rw_semaphores_sfcbd(openwsman_t)
++    sblim_getattr_exec_sfcbd(openwsman_t)
++')
++
++optional_policy(`
++    unconfined_domain(openwsman_t)
++')
+ 
+diff --git a/passenger.if b/passenger.if
+index 0ec51d4..2d8335f 100644
+--- a/passenger.if
++++ b/passenger.if
+@@ -159,3 +159,22 @@ interface(`passenger_manage_tmp_files',`
+ 	manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ 	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ ')
++
++########################################
++## <summary>
++##	Send kill signals to passenger.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`passenger_kill',`
++	gen_require(`
++		type passenger_t;
++	')
++
++	allow $1 passenger_t:process sigkill;
++')
++
+diff --git a/pegasus.te b/pegasus.te
+index 6c3afa0..37539ec 100644
+--- a/pegasus.te
++++ b/pegasus.te
+@@ -203,6 +203,8 @@ optional_policy(`
+ # pegasus openlmi service local policy
+ #
+ 
++fs_getattr_all_fs(pegasus_openlmi_admin_t)
++
+ init_manage_transient_unit(pegasus_openlmi_admin_t)
+ init_disable_services(pegasus_openlmi_admin_t)
+ init_enable_services(pegasus_openlmi_admin_t)
+@@ -217,6 +219,9 @@ systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
+ 
+ allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+ 
++logging_read_syslog_pid(pegasus_openlmi_admin_t)
++logging_read_generic_logs(pegasus_openlmi_admin_t)
++
+ optional_policy(`
+     dbus_system_bus_client(pegasus_openlmi_admin_t)
+     
+diff --git a/puppet.fc b/puppet.fc
+index 8c0b242..cad91e2 100644
+--- a/puppet.fc
++++ b/puppet.fc
+@@ -1,11 +1,19 @@
+-/etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
++/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
+ 
+-/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/puppet	    --	gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+ 
+-/usr/sbin/puppetca		--	gen_context(system_u:object_r:puppetca_exec_t,s0)
+-/usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
+-/usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
++#helper scripts
++/usr/bin/start-puppet-agent       --  gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/start-puppet-master      --  gen_context(system_u:object_r:puppetmaster_exec_t,s0)
++
++/usr/bin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/bin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
++
++/usr/sbin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/sbin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/sbin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ 
+ /var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
+ /var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
+diff --git a/puppet.te b/puppet.te
+index a375475..0903e67 100644
+--- a/puppet.te
++++ b/puppet.te
+@@ -1,4 +1,4 @@
+-policy_module(puppet, 1.3.0)
++policy_module(puppet, 1.4.0)
+ 
+ ########################################
+ #
+@@ -11,7 +11,7 @@ policy_module(puppet, 1.3.0)
+ ## types.
+ ## </p>
+ ## </desc>
+-gen_tunable(puppet_manage_all_files, false)
++gen_tunable(puppetagent_manage_all_files, false)
+ 
+ ## <desc>
+ ## <p>
+@@ -20,15 +20,18 @@ gen_tunable(puppet_manage_all_files, false)
+ ## </desc>
+ gen_tunable(puppetmaster_use_db, false)
+ 
+-type puppet_t;
+-type puppet_exec_t;
+-init_daemon_domain(puppet_t, puppet_exec_t)
++type puppetagent_t;
++type puppetagent_exec_t;
++typealias puppetagent_exec_t alias puppet_exec_t;
++typealias puppetagent_t alias puppet_t;
++init_daemon_domain(puppetagent_t, puppetagent_exec_t)
+ 
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+ 
+-type puppet_initrc_exec_t;
+-init_script_file(puppet_initrc_exec_t)
++type puppetagent_initrc_exec_t;
++typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
++init_script_file(puppetagent_initrc_exec_t)
+ 
+ type puppet_log_t;
+ logging_log_file(puppet_log_t)
+@@ -62,205 +65,142 @@ files_tmp_file(puppetmaster_tmp_t)
+ # Puppet personal policy
+ #
+ 
+-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+-allow puppet_t self:process { signal signull getsched setsched };
+-allow puppet_t self:fifo_file rw_fifo_file_perms;
+-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+-allow puppet_t self:tcp_socket create_stream_socket_perms;
+-allow puppet_t self:udp_socket create_socket_perms;
++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
++allow puppetagent_t self:process { signal signull getsched setsched };
++allow puppetagent_t self:fifo_file rw_fifo_file_perms;
++allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
++allow puppetagent_t self:tcp_socket create_stream_socket_perms;
++allow puppetagent_t self:udp_socket create_socket_perms;
+ 
+-read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
++read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+ 
+-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-files_search_var_lib(puppet_t)
++manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++files_search_var_lib(puppetagent_t)
+ 
+-manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
++manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
+ 
+-create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
++create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
++create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
+ 
+-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
++manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
+ 
+-kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
+-kernel_read_system_state(puppet_t)
+-kernel_read_crypto_sysctls(puppet_t)
+-kernel_read_kernel_sysctls(puppet_t)
++kernel_dontaudit_search_sysctl(puppetagent_t)
++kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
++kernel_read_system_state(puppetagent_t)
++kernel_read_crypto_sysctls(puppetagent_t)
++kernel_read_kernel_sysctls(puppetagent_t)
+ 
+-corecmd_read_all_executables(puppet_t)
+-corecmd_dontaudit_access_all_executables(puppet_t)
+-corecmd_exec_bin(puppet_t)
+-corecmd_exec_shell(puppet_t)
++corecmd_read_all_executables(puppetagent_t)
++corecmd_dontaudit_access_all_executables(puppetagent_t)
++corecmd_exec_bin(puppetagent_t)
++corecmd_exec_shell(puppetagent_t)
+ 
+-corenet_all_recvfrom_netlabel(puppet_t)
+-corenet_tcp_sendrecv_generic_if(puppet_t)
+-corenet_tcp_sendrecv_generic_node(puppet_t)
+-corenet_tcp_bind_generic_node(puppet_t)
+-corenet_tcp_connect_puppet_port(puppet_t)
+-corenet_sendrecv_puppet_client_packets(puppet_t)
++corenet_all_recvfrom_netlabel(puppetagent_t)
++corenet_tcp_sendrecv_generic_if(puppetagent_t)
++corenet_tcp_sendrecv_generic_node(puppetagent_t)
++corenet_tcp_bind_generic_node(puppetagent_t)
++corenet_tcp_connect_puppet_port(puppetagent_t)
++corenet_sendrecv_puppet_client_packets(puppetagent_t)
+ 
+-dev_read_rand(puppet_t)
+-dev_read_sysfs(puppet_t)
+-dev_read_urand(puppet_t)
++dev_read_rand(puppetagent_t)
++dev_read_sysfs(puppetagent_t)
++dev_read_urand(puppetagent_t)
+ 
+-domain_read_all_domains_state(puppet_t)
+-domain_interactive_fd(puppet_t)
++domain_read_all_domains_state(puppetagent_t)
++domain_interactive_fd(puppetagent_t)
++domain_named_filetrans(puppetagent_t)
+ 
+-files_manage_config_files(puppet_t)
+-files_manage_config_dirs(puppet_t)
+-files_manage_etc_dirs(puppet_t)
+-files_manage_etc_files(puppet_t)
+-files_read_usr_symlinks(puppet_t)
+-files_relabel_config_dirs(puppet_t)
+-files_relabel_config_files(puppet_t)
++files_manage_config_files(puppetagent_t)
++files_manage_config_dirs(puppetagent_t)
++files_manage_etc_dirs(puppetagent_t)
++files_manage_etc_files(puppetagent_t)
++files_read_usr_symlinks(puppetagent_t)
++files_relabel_config_dirs(puppetagent_t)
++files_relabel_config_files(puppetagent_t)
+ 
+-selinux_set_all_booleans(puppet_t)
+-selinux_set_generic_booleans(puppet_t)
+-selinux_validate_context(puppet_t)
++selinux_set_all_booleans(puppetagent_t)
++selinux_set_generic_booleans(puppetagent_t)
++selinux_validate_context(puppetagent_t)
+ 
+-term_dontaudit_getattr_unallocated_ttys(puppet_t)
+-term_dontaudit_getattr_all_ttys(puppet_t)
++term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
++term_dontaudit_getattr_all_ttys(puppetagent_t)
+ 
+-auth_use_nsswitch(puppet_t)
++auth_use_nsswitch(puppetagent_t)
+ 
+-init_all_labeled_script_domtrans(puppet_t)
+-init_domtrans_script(puppet_t)
+-init_read_utmp(puppet_t)
+-init_signull_script(puppet_t)
++init_all_labeled_script_domtrans(puppetagent_t)
++init_domtrans_script(puppetagent_t)
++init_read_utmp(puppetagent_t)
++init_signull_script(puppetagent_t)
+ 
+-logging_send_syslog_msg(puppet_t)
++logging_send_syslog_msg(puppetagent_t)
+ 
+-miscfiles_read_hwdata(puppet_t)
++miscfiles_read_hwdata(puppetagent_t)
+ 
+-seutil_domtrans_setfiles(puppet_t)
+-seutil_domtrans_semanage(puppet_t)
+-seutil_read_file_contexts(puppet_t)
++seutil_domtrans_setfiles(puppetagent_t)
++seutil_domtrans_semanage(puppetagent_t)
++seutil_read_file_contexts(puppetagent_t)
+ 
+-sysnet_run_ifconfig(puppet_t, system_r)
++sysnet_run_ifconfig(puppetagent_t, system_r)
+ 
+-usermanage_access_check_groupadd(puppet_t)
+-usermanage_access_check_passwd(puppet_t)
+-usermanage_access_check_useradd(puppet_t)
++usermanage_access_check_groupadd(puppetagent_t)
++usermanage_access_check_passwd(puppetagent_t)
++usermanage_access_check_useradd(puppetagent_t)
+ 
+-tunable_policy(`puppet_manage_all_files',`
+-	files_manage_non_security_files(puppet_t)
++tunable_policy(`puppetagent_manage_all_files',`
++	files_manage_non_security_files(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	cfengine_read_lib_files(puppet_t)
++    mysql_stream_connect(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	consoletype_exec(puppet_t)
++    postgresql_stream_connect(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	hostname_exec(puppet_t)
++	cfengine_read_lib_files(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	mount_domtrans(puppet_t)
++	consoletype_exec(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	mta_send_mail(puppet_t)
++	hostname_exec(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	portage_domtrans(puppet_t)
+-	portage_domtrans_fetch(puppet_t)
+-	portage_domtrans_gcc_config(puppet_t)
++	mount_domtrans(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	files_rw_var_files(puppet_t)
+-
+-	rpm_domtrans(puppet_t)
+-	rpm_manage_db(puppet_t)
+-	rpm_manage_log(puppet_t)
+-')
+-
+-optional_policy(`
+-	unconfined_domain(puppet_t)
+-')
+-
+-optional_policy(`
+-	auth_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	alsa_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	bootloader_filetrans_config(puppet_t)
+-')
+-
+-optional_policy(`
+-	devicekit_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	dnsmasq_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	kerberos_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	libs_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	miscfiles_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	mta_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	modules_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	networkmanager_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	nx_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	postfix_filetrans_named_content(puppet_t)
+-')
+-
+-optional_policy(`
+-	openshift_initrc_domtrans(puppet_t)
++	mta_send_mail(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	quota_filetrans_named_content(puppet_t)
++	portage_domtrans(puppetagent_t)
++	portage_domtrans_fetch(puppetagent_t)
++	portage_domtrans_gcc_config(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	sysnet_filetrans_named_content(puppet_t)
+-')
++	files_rw_var_files(puppetagent_t)
+ 
+-optional_policy(`
+-	virt_filetrans_home_content(puppet_t)
++	rpm_domtrans(puppetagent_t)
++	rpm_manage_db(puppetagent_t)
++	rpm_manage_log(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	ssh_filetrans_admin_home_content(puppet_t)
++    unconfined_domain_noaudit(puppetagent_t)
+ ')
+ 
+ ########################################
+diff --git a/quantum.te b/quantum.te
+index 52bad99..156e9af 100644
+--- a/quantum.te
++++ b/quantum.te
+@@ -29,13 +29,17 @@ systemd_unit_file(neutron_unit_file_t)
+ # Local policy
+ #
+ 
+-allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
+-allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
++allow neutron_t self:capability2 block_suspend;
++allow neutron_t self:process { setsched setrlimit setcap signal_perms };
++
+ allow neutron_t self:fifo_file rw_fifo_file_perms;
+ allow neutron_t self:key manage_key_perms;
+ allow neutron_t self:tcp_socket { accept listen };
+ allow neutron_t self:unix_stream_socket { accept listen };
+ allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
++allow neutron_t self:rawip_socket create_socket_perms;
++allow neutron_t self:packet_socket create_socket_perms;
+ 
+ manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+ append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+@@ -44,18 +48,21 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+ logging_log_filetrans(neutron_t, neutron_log_t, dir)
+ 
+ manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+-files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
++manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
+ 
+ manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+ manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
++manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+ files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+ 
+ can_exec(neutron_t, neutron_tmp_t)
+ 
+-kernel_read_kernel_sysctls(neutron_t)
+ kernel_read_system_state(neutron_t)
+ kernel_read_network_state(neutron_t)
+ kernel_request_load_module(neutron_t)
++kernel_rw_kernel_sysctl(neutron_t)
++kernel_rw_net_sysctls(neutron_t)
+ 
+ corecmd_exec_shell(neutron_t)
+ corecmd_exec_bin(neutron_t)
+@@ -71,7 +78,9 @@ corenet_tcp_bind_neutron_port(neutron_t)
+ corenet_tcp_connect_keystone_port(neutron_t)
+ corenet_tcp_connect_amqp_port(neutron_t)
+ corenet_tcp_connect_mysqld_port(neutron_t)
++corenet_tcp_connect_osapi_compute_port(neutron_t)
+ 
++domain_read_all_domains_state(neutron_t)
+ domain_named_filetrans(neutron_t)
+ 
+ dev_read_sysfs(neutron_t)
+@@ -82,6 +91,8 @@ dev_unmount_sysfs_fs(neutron_t)
+ 
+ files_mounton_non_security(neutron_t)
+ 
++fs_getattr_all_fs(neutron_t)
++
+ auth_use_nsswitch(neutron_t)
+ 
+ libs_exec_ldconfig(neutron_t)
+@@ -89,6 +100,9 @@ libs_exec_ldconfig(neutron_t)
+ logging_send_audit_msgs(neutron_t)
+ logging_send_syslog_msg(neutron_t)
+ 
++netutils_exec(neutron_t)
++
++# need to stay in neutron
+ sysnet_exec_ifconfig(neutron_t)
+ sysnet_manage_ifconfig_run(neutron_t)
+ sysnet_filetrans_named_content_ifconfig(neutron_t)
+@@ -109,16 +123,19 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    modutils_domtrans_insmod(neutron_t)
++')
++
++optional_policy(`
+ 	mysql_stream_connect(neutron_t)
++    mysql_read_db_lnk_files(neutron_t)
+ 	mysql_read_config(neutron_t)
+-
+ 	mysql_tcp_connect(neutron_t)
+ ')
+ 
+ optional_policy(`
+ 	postgresql_stream_connect(neutron_t)
+ 	postgresql_unpriv_client(neutron_t)
+-
+ 	postgresql_tcp_connect(neutron_t)
+ ')
+ 
+@@ -129,4 +146,8 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	sudo_exec(neutron_t)
++')
++
++optional_policy(`
++    udev_domtrans(neutron_t)
+ ')  
+diff --git a/rabbitmq.te b/rabbitmq.te
+index 7d5630f..9fb98a1 100644
+--- a/rabbitmq.te
++++ b/rabbitmq.te
+@@ -87,6 +87,7 @@ corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+ corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+ corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_http_port(rabbitmq_beam_t)
+ 
+ domain_read_all_domains_state(rabbitmq_beam_t)
+ 
+@@ -127,7 +128,7 @@ allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
+ allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
+ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+ 
+-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
++allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms;
+ 
+ manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+ 
+diff --git a/rhcs.te b/rhcs.te
+index 4fd3b77..503838b 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -593,6 +593,7 @@ logging_send_syslog_msg(groupd_t)
+ allow haproxy_t self:capability { dac_override kill };
+ 
+ allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
++allow haproxy_t self:capability2 block_suspend;
+ allow haproxy_t self:process { fork setrlimit signal_perms };
+ allow haproxy_t self:fifo_file rw_fifo_file_perms;
+ allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
+diff --git a/rhsmcertd.te b/rhsmcertd.te
+index d193f7a..87038e7 100644
+--- a/rhsmcertd.te
++++ b/rhsmcertd.te
+@@ -53,6 +53,7 @@ kernel_read_system_state(rhsmcertd_t)
+ kernel_read_sysctl(rhsmcertd_t)
+ 
+ corenet_tcp_connect_http_port(rhsmcertd_t)
++corenet_tcp_connect_http_cache_port(rhsmcertd_t)
+ corenet_tcp_connect_squid_port(rhsmcertd_t)
+ 
+ corecmd_exec_bin(rhsmcertd_t)
+diff --git a/rsync.te b/rsync.te
+index d7db2d9..7a6ca6c 100644
+--- a/rsync.te
++++ b/rsync.te
+@@ -170,4 +170,6 @@ auth_can_read_shadow_passwords(rsync_t)
+ 
+ optional_policy(`
+ 	swift_manage_data_files(rsync_t)
++    swift_manage_lock(rsync_t)
++    swift_filetrans_named_lock(rsync_t)
+ ')
+diff --git a/sandbox.if b/sandbox.if
+index 89bc443..a2cb772 100644
+--- a/sandbox.if
++++ b/sandbox.if
+@@ -22,14 +22,42 @@ interface(`sandbox_transition',`
+ 		attribute sandbox_domain;
+ 	')
+ 
+-	allow $1 sandbox_domain:process transition;
+-	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+-	role $2 types sandbox_domain;
+-	allow sandbox_domain $1:process { sigchld signull };
+-	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+-	dontaudit sandbox_domain $1:process signal;
+-	dontaudit sandbox_domain $1:key { link read search view };
+-	dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++    sandbox_dyntransition($1) #885288
++    allow $1 sandbox_domain:process transition;
++    dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++
++    role $2 types sandbox_domain;
++
++    allow sandbox_domain $1:process { sigchld signull };
++    allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
++
++    dontaudit sandbox_domain $1:process signal;
++    dontaudit sandbox_domain $1:key { link read search view };
++    dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++## <summary>
++##	Execute sandbox in the sandbox domain, and
++##	allow the specified role the sandbox domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
++##	</summary>
++## </param>
++#
++interface(`sandbox_dyntransition',`
++	gen_require(`
++		attribute sandbox_domain;
++	')
++
++	allow $1 sandbox_domain:process dyntransition;
+ ')
+ 
+ ########################################
+diff --git a/sandboxX.if b/sandboxX.if
+index 3258f45..03bdcef 100644
+--- a/sandboxX.if
++++ b/sandboxX.if
+@@ -26,6 +26,7 @@ interface(`sandbox_x_transition',`
+ 	')
+ 
+ 	allow $1 sandbox_x_domain:process { signal_perms transition };
++	allow $1 sandbox_x_domain:process dyntransition;
+ 	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ 	allow sandbox_x_domain $1:process { sigchld signull };
+ 	allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
+diff --git a/sblim.if b/sblim.if
+index d4aa009..562666e 100644
+--- a/sblim.if
++++ b/sblim.if
+@@ -86,6 +86,84 @@ interface(`sblim_filetrans_named_content',`
+ 
+ ########################################
+ ## <summary>
++##	Connect to sblim_sfcb over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sblim_stream_connect_sfcbd',`
++	gen_require(`
++		type sblim_sfcb_t, sblim_var_lib_t;
++        type sblim_tmp_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
++	stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
++')
++
++#######################################
++## <summary>
++##  Getattr on sblim executable.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`sblim_getattr_exec_sfcbd',`
++    gen_require(`
++        type sblim_sfcbd_exec_t;
++    ')
++
++	allow $1 sblim_sfcbd_exec_t:file getattr;
++')
++
++
++########################################
++## <summary>
++##	Connect to sblim_sfcb over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sblim_stream_connect_sfcb',`
++	gen_require(`
++		type sblim_sfcb_t, sblim_var_lib_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
++')
++
++#######################################
++## <summary>
++##	Allow read and write access to sblim semaphores.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sblim_rw_semaphores_sfcbd',`
++	gen_require(`
++		type sblim_sfcbd_t;
++	')
++
++	allow $1 sblim_sfcbd_t:sem rw_sem_perms;
++')
++
++
++########################################
++## <summary>
+ ##	All of the rules required to administrate
+ ##	an gatherd environment
+ ## </summary>
+diff --git a/sblim.te b/sblim.te
+index 20f5040..21c15bb 100644
+--- a/sblim.te
++++ b/sblim.te
+@@ -157,9 +157,19 @@ auth_use_nsswitch(sblim_sfcbd_t)
+ 
+ corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
+ corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
++corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
++
++corecmd_exec_shell(sblim_sfcbd_t)
++corecmd_exec_bin(sblim_sfcbd_t)
+ 
+ dev_read_rand(sblim_sfcbd_t)
+ dev_read_urand(sblim_sfcbd_t)
+ 
+ domain_read_all_domains_state(sblim_sfcbd_t)
+ domain_use_interactive_fds(sblim_sfcbd_t)
++
++optional_policy(`
++    rpm_exec(sblim_sfcbd_t)
++    rpm_dontaudit_manage_db(sblim_sfcbd_t)
++')
+diff --git a/sensord.fc b/sensord.fc
+index 97926d2..9be989a 100644
+--- a/sensord.fc
++++ b/sensord.fc
+@@ -4,6 +4,6 @@
+ 
+ /usr/sbin/sensord	--	gen_context(system_u:object_r:sensord_exec_t,s0)
+ 
+-/var/log/sensord\.rrd	--	gen_context(system_u:object_r:sensord_log_t,s0)
++/var/log/sensor.*		gen_context(system_u:object_r:sensord_log_t,s0)
+ 
+ /var/run/sensord\.pid	--	gen_context(system_u:object_r:sensord_var_run_t,s0)
+diff --git a/slocate.te b/slocate.te
+index 8417705..669d253 100644
+--- a/slocate.te
++++ b/slocate.te
+@@ -61,3 +61,8 @@ ifdef(`enable_mls',`
+ optional_policy(`
+ 	cron_system_entry(locate_t, locate_exec_t)
+ ')
++
++optional_policy(`
++	mock_getattr_lib(locate_t)
++')
++
+diff --git a/snapper.fc b/snapper.fc
+index 660fcd2..d1d72f2 100644
+--- a/snapper.fc
++++ b/snapper.fc
+@@ -6,3 +6,5 @@ HOME_DIR/\.snapshots    -d  gen_context(system_u:object_r:snapperd_home_t,s0)
+ /etc/sysconfig/snapper  --  gen_context(system_u:object_r:snapperd_conf_t,s0)
+ 
+ /var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
++
++/mnt/(.*/)?.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+diff --git a/spamassassin.te b/spamassassin.te
+index 32f670e..e8531d9 100644
+--- a/spamassassin.te
++++ b/spamassassin.te
+@@ -275,12 +275,17 @@ manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+ manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+ manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+ userdom_append_user_home_content_files(spamc_t)
++spamassassin_filetrans_home_content(spamc_t)
++spamassassin_filetrans_admin_home_content(spamc_t)
+ # for /root/.pyzor
+ allow spamc_t self:capability dac_override;
+ 
+ list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+ read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+ 
++read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
++list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
++
+ # Allow connecting to a local spamd
+ allow spamc_t spamd_t:unix_stream_socket connectto;
+ allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+diff --git a/sssd.te b/sssd.te
+index fb39837..eb8bb88 100644
+--- a/sssd.te
++++ b/sssd.te
+@@ -68,6 +68,7 @@ kernel_request_load_module(sssd_t)
+ corenet_udp_bind_generic_port(sssd_t)
+ corenet_dontaudit_udp_bind_all_ports(sssd_t)
+ corenet_tcp_connect_kerberos_password_port(sssd_t)
++corenet_tcp_connect_smbd_port(sssd_t)
+ 
+ corecmd_exec_bin(sssd_t)
+ 
+diff --git a/stapserver.te b/stapserver.te
+index e472397..6aeecac 100644
+--- a/stapserver.te
++++ b/stapserver.te
+@@ -72,6 +72,7 @@ files_list_tmp(stapserver_t)
+ files_search_kernel_modules(stapserver_t)
+ 
+ fs_search_cgroup_dirs(stapserver_t)
++fs_getattr_all_fs(stapserver_t)
+ 
+ auth_use_nsswitch(stapserver_t)
+ 
+diff --git a/swift.fc b/swift.fc
+index 744f0ce..b07d112 100644
+--- a/swift.fc
++++ b/swift.fc
+@@ -15,8 +15,11 @@
+ /usr/bin/swift-object-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
+ /usr/bin/swift-object-updater		--	gen_context(system_u:object_r:swift_exec_t,s0)
+ 
++/usr/bin/swift-proxy-server         --  gen_context(system_u:object_r:swift_exec_t,s0)
++
+ /usr/lib/systemd/system/openstack-swift.*      --  gen_context(system_u:object_r:swift_unit_file_t,s0)
+ 
++/var/lock/swift.*                   gen_context(system_u:object_r:swift_lock_t,s0)
+ /var/cache/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_cache_t,s0)
+ /var/run/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_run_t,s0)
+ 
+diff --git a/swift.if b/swift.if
+index df82c36..6a1f575 100644
+--- a/swift.if
++++ b/swift.if
+@@ -59,6 +59,43 @@ interface(`swift_manage_data_files',`
+ 	manage_dirs_pattern($1, swift_data_t, swift_data_t)
+ ')
+ 
++#####################################
++## <summary>
++##	Read and write swift lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`swift_manage_lock',`
++	gen_require(`
++		type swift_lock_t;
++	')
++
++	files_search_locks($1)
++    manage_files_pattern($1, swift_lock_t, swift_lock_t)
++')
++
++#######################################
++## <summary>
++##  Transition content labels to swift named content
++## </summary>
++## <param name="domain">
++##  <summary>
++##      Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`swift_filetrans_named_lock',`
++    gen_require(`
++        type swift_lock_t;
++    ')
++
++    files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute swift server in the swift domain.
+diff --git a/swift.te b/swift.te
+index 7bef550..7fce837 100644
+--- a/swift.te
++++ b/swift.te
+@@ -9,8 +9,14 @@ type swift_t;
+ type swift_exec_t;
+ init_daemon_domain(swift_t, swift_exec_t)
+ 
++type swift_lock_t;
++files_lock_file(swift_lock_t)
++
+ type swift_tmp_t;
+-files_tmpfs_file(swift_tmp_t)
++files_tmp_file(swift_tmp_t)
++
++type swift_tmpfs_t;
++files_tmpfs_file(swift_tmpfs_t)
+ 
+ type swift_var_cache_t;
+ files_type(swift_var_cache_t)
+@@ -36,10 +42,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms;
+ allow swift_t self:unix_stream_socket create_stream_socket_perms;
+ allow swift_t self:unix_dgram_socket create_socket_perms;
+ 
++manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
++manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
++files_lock_filetrans(swift_t, swift_lock_t, { dir file })
++
+ manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+ manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+ files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
+ 
++manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
++
+ manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+ manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+ manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+@@ -59,7 +73,12 @@ kernel_dgram_send(swift_t)
+ kernel_read_system_state(swift_t)
+ kernel_read_network_state(swift_t)
+ 
++# bug in swift
++corenet_tcp_bind_xserver_port(swift_t)
++corenet_tcp_bind_http_cache_port(swift_t)
++
+ corecmd_exec_shell(swift_t)
++corecmd_exec_bin(swift_t)
+ 
+ dev_read_urand(swift_t)
+ 
+@@ -67,6 +86,8 @@ domain_use_interactive_fds(swift_t)
+ 
+ files_dontaudit_search_home(swift_t)
+ 
++fs_getattr_all_fs(swift_t)
++
+ auth_use_nsswitch(swift_t)
+ 
+ libs_exec_ldconfig(swift_t)
+@@ -77,4 +98,5 @@ userdom_dontaudit_search_user_home_dirs(swift_t)
+ 
+ optional_policy(`
+     rpm_exec(swift_t)
++    rpm_dontaudit_manage_db(swift_t)
+ ')
+diff --git a/tgtd.te b/tgtd.te
+index 60f4ce9..704a0e2 100644
+--- a/tgtd.te
++++ b/tgtd.te
+@@ -56,6 +56,7 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+ 
+ kernel_read_system_state(tgtd_t)
+ kernel_read_fs_sysctls(tgtd_t)
++kernel_read_network_state(tgtd_t)
+ 
+ corenet_all_recvfrom_netlabel(tgtd_t)
+ corenet_tcp_sendrecv_generic_if(tgtd_t)
+diff --git a/ulogd.te b/ulogd.te
+index bd23e7f..022c367 100644
+--- a/ulogd.te
++++ b/ulogd.te
+@@ -44,7 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+ setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+ 
+-
++kernel_request_load_module(ulogd_t)
+ 
+ sysnet_dns_name_resolve(ulogd_t)
+ 
+diff --git a/virt.te b/virt.te
+index 57af4d0..1df2084 100644
+--- a/virt.te
++++ b/virt.te
+@@ -522,7 +522,7 @@ tunable_policy(`virt_use_nfs',`
+ ')
+ 
+ tunable_policy(`virt_use_samba',`
+-	fs_manage_nfs_files(virtd_t)
++	fs_manage_cifs_dirs(virtd_t)
+ 	fs_manage_cifs_files(virtd_t)
+ 	fs_read_cifs_symlinks(virtd_t)
+ ')
+@@ -1168,6 +1168,7 @@ allow svirt_sandbox_domain self:msgq create_msgq_perms;
+ allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+ allow svirt_sandbox_domain self:passwd rootok;
++allow svirt_sandbox_domain self:filesystem associate;
+ 
+ tunable_policy(`deny_ptrace',`',`
+ 	allow svirt_sandbox_domain self:process ptrace;
+@@ -1256,11 +1257,16 @@ optional_policy(`
+ 	docker_manage_lib_files(svirt_lxc_net_t)
+ 	docker_manage_lib_dirs(svirt_lxc_net_t)
+ 	docker_read_share_files(svirt_sandbox_domain)
++	docker_exec_lib(svirt_sandbox_domain)
+ 	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ 	docker_use_ptys(svirt_sandbox_domain)
+ ')
+ 
+ optional_policy(`
++	gear_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ 	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+ ')
+ 
+@@ -1283,8 +1289,8 @@ tunable_policy(`virt_use_nfs',`
+ ')
+ 
+ tunable_policy(`virt_use_samba',`
+-	fs_manage_nfs_files(svirt_sandbox_domain)
+ 	fs_manage_cifs_files(svirt_sandbox_domain)
++	fs_manage_cifs_dirs(svirt_sandbox_domain)
+ 	fs_read_cifs_symlinks(svirt_sandbox_domain)
+ ')
+ 
+@@ -1671,5 +1677,3 @@ optional_policy(`
+ optional_policy(`
+ 	systemd_dbus_chat_logind(sandbox_net_domain)
+ ')
+-
+-
+diff --git a/zabbix.te b/zabbix.te
+index 614e66c..551c4e9 100644
+--- a/zabbix.te
++++ b/zabbix.te
+@@ -125,9 +125,9 @@ zabbix_agent_tcp_connect(zabbix_t)
+ logging_send_syslog_msg(zabbix_t)
+ 
+ tunable_policy(`zabbix_can_network',`
+-	corenet_sendrecv_all_client_packets(zabbix_t)
+-	corenet_tcp_connect_all_ports(zabbix_t)
+-	corenet_tcp_sendrecv_all_ports(zabbix_t)
++	corenet_sendrecv_all_client_packets(zabbix_domain)
++	corenet_tcp_connect_all_ports(zabbix_domain)
++	corenet_tcp_sendrecv_all_ports(zabbix_domain)
+ ')
+ 
+ optional_policy(`
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index e363177..f478c9f 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -19,12 +19,14 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 153%{?dist}
+Release: 153%{?dist}.10
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-f20-base.patch
 patch1: policy-f20-contrib.patch
+patch2: policy-rhel-7.0.z-base.patch
+patch3: policy-rhel-7.0.z-contrib.patch
 Source1: modules-targeted-base.conf 
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@@ -316,9 +318,11 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch1 -p1
+%patch3 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch -p1
+%patch2 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 
@@ -579,6 +583,56 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jun 3 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.10
+- Allow swift to execute bin_t
+- Allow swift to bind http_cache
+- Label /var/log/horizon as an apache log
+
+* Tue Jun 3 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.9
+- Allow neutron to bind xserver port
+- Allow neutron to execute kmod in insmod_t
+- Allow neutron to execute udevadm in udev_t
+- Allow keepalived to execute bin_t/shell_exec_t
+- Allow neutron to create sock files
+- Label swift-proxy-server as swift_exec_t
+
+* Wed May 21 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.8
+- Allow rsync to create  swift_server.lock with swift.log labeling
+- Add labeling for swift lock files
+- Make neutron_t as unconfined domain
+
+* Mon May 19 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.7
+- Add more fixes for OpenStack
+- Add fixes for geard
+- Make openwsman as unconfined_domain in RHEL7.0
+
+* Mon May 12 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.6
+- Back port openstack fixes
+- svirt sandbox domains to read gear content in /run
+- Allow gear_t to manage openshift files
+
+* Wed May 7 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.5
+-  More rules for gears and openshift
+Resolves:#1092405
+
+* Wed May 7 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.4
+- Bump release to rebuild as z-stream
+Resolves:#1092405
+
+* Wed May 7 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.3
+- Add fixes for gear to just execute ifconfig
+- More fixes for mongod_t
+Resolves:#1092405
+
+* Mon May 5 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.2
+- Bump release
+Resolves:#1092405
+
+* Mon May 5 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153.el7_0.1
+- Allow mongod to create sock files
+Resolves:#1092405
+- Add additional fixes related to docker and upgrade issues
+
 * Mon Apr 7 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153
 - Change hsperfdata_root to have as user_tmp_t
 Resolves:#1076523