diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ac72c68..16ea301 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5363,7 +5363,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..62570b0 100644
+index b191055..6c1f7f5 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5686,7 +5686,15 @@ index b191055..62570b0 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -295,12 +347,16 @@ network_port(zope, tcp,8021,s0)
+@@ -288,19 +340,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+ network_port(zookeeper_client, tcp,2181,s0)
+ network_port(zookeeper_election, tcp,3888,s0)
+ network_port(zookeeper_leader, tcp,2888,s0)
+-network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
++network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0)
+ network_port(zented, tcp,1229,s0, udp,1229,s0)
+ network_port(zope, tcp,8021,s0)
+
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -44590,7 +44598,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..260ea6c 100644
+index 6e91317..64e135a 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -44687,7 +44695,7 @@ index 6e91317..260ea6c 100644
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
++define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
diff --git a/policy-rawhide-contrib-apache-content.patch b/policy-rawhide-contrib-apache-content.patch
new file mode 100644
index 0000000..0c31ccc
--- /dev/null
+++ b/policy-rawhide-contrib-apache-content.patch
@@ -0,0 +1,2114 @@
+diff --git a/apache.if b/apache.if
+index fac6fe5..804867a 100644
+--- a/apache.if
++++ b/apache.if
+@@ -14,99 +14,123 @@
+ template(`apache_content_template',`
+ gen_require(`
+ attribute httpd_exec_scripts, httpd_script_exec_type;
+- type httpd_t, httpd_suexec_t, httpd_log_t;
+- type httpd_sys_content_t;
++ type httpd_t, httpd_suexec_t;
+ attribute httpd_script_type, httpd_content_type;
+ ')
+
+ #This type is for webpages
+- type httpd_$1_content_t; # customizable;
+- typeattribute httpd_$1_content_t httpd_content_type;
+- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+- files_type(httpd_$1_content_t)
++ type $1_content_t; # customizable;
++ typeattribute $1_content_t httpd_content_type;
++ typealias $1_content_t alias httpd_$1_script_ro_t;
++ files_type($1_content_t)
+
+ # This type is used for .htaccess files
+- type httpd_$1_htaccess_t, httpd_content_type; # customizable;
+- typeattribute httpd_$1_htaccess_t httpd_content_type;
+- files_type(httpd_$1_htaccess_t)
++ type $1_htaccess_t, httpd_content_type; # customizable;
++ typeattribute $1_htaccess_t httpd_content_type;
++ files_type($1_htaccess_t)
+
+ # Type that CGI scripts run as
+- type httpd_$1_script_t, httpd_script_type;
+- domain_type(httpd_$1_script_t)
+- role system_r types httpd_$1_script_t;
++ type $1_script_t, httpd_script_type;
++ domain_type($1_script_t)
++ role system_r types $1_script_t;
+
+- kernel_read_system_state(httpd_$1_script_t)
++ kernel_read_system_state($1_script_t)
+
+ # This type is used for executable scripts files
+- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+- typeattribute httpd_$1_script_exec_t httpd_content_type;
+- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
++ type $1_script_exec_t, httpd_script_exec_type; # customizable;
++ typeattribute $1_script_exec_t httpd_content_type;
++ domain_entry_file($1_script_t, $1_script_exec_t)
+
+- type httpd_$1_rw_content_t; # customizable
+- typeattribute httpd_$1_rw_content_t httpd_content_type;
+- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+- files_type(httpd_$1_rw_content_t)
++ type $1_rw_content_t; # customizable
++ typeattribute $1_rw_content_t httpd_content_type;
++ typealias $1_rw_content_t alias { $1_script_rw_t };
++ files_type($1_rw_content_t)
+
+- type httpd_$1_ra_content_t, httpd_content_type; # customizable
+- typeattribute httpd_$1_ra_content_t httpd_content_type;
+- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+- files_type(httpd_$1_ra_content_t)
++ type $1_ra_content_t, httpd_content_type; # customizable
++ typeattribute $1_ra_content_t httpd_content_type;
++ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
++ files_type($1_ra_content_t)
+
+ # Allow the script process to search the cgi directory, and users directory
+- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
++ allow $1_script_t $1_content_t:dir search_dir_perms;
+
+- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+- allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
++ can_exec($1_script_t, $1_script_exec_t)
++ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+
+- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+- read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+- append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+- create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+- allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+- read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
++ allow $1_script_t $1_content_t:dir list_dir_perms;
++ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
++ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
++ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
++ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+
+- allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
+- read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+- append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+- create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+- read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
++ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
++ allow $1_script_t $1_script_exec_t:file entrypoint;
+
+- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
+
+ # privileged users run the script:
+- domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
++ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
+
+- allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
+
+ # apache runs the script:
+- domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+- allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
++ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
++ allow httpd_t $1_script_t:unix_dgram_socket sendto;
+ ')
+ ')
+
+ ########################################
+ ## <summary>
++## Create a set of derived types for apache
++## web content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving new type names.
++## </summary>
++## </param>
++## <param name="oldprefix">
++## <summary>
++## The prefix to be used for deriving old type names.
++## </summary>
++## </param>
++#
++template(`apache_content_alias_template',`
++ typealias $1_htaccess_t alias httpd_$2_htaccess_t;
++ typealias $1_script_t alias httpd_$2_script_t;
++ typealias $1_script_exec_t alias httpd_$2_script_exec_t;
++ typealias $1_content_t alias httpd_$2_content_t;
++ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
++ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
++')
++
++########################################
++## <summary>
+ ## Role access for apache
+ ## </summary>
+ ## <param name="role">
+diff --git a/apache.te b/apache.te
+index 0e09bca..85e992e 100644
+--- a/apache.te
++++ b/apache.te
+@@ -370,7 +370,7 @@ type httpd_suexec_tmp_t;
+ files_tmp_file(httpd_suexec_tmp_t)
+
+ # setup the system domain for system CGI scripts
+-apache_content_template(sys)
++apache_content_template(httpd_sys)
+
+ typeattribute httpd_sys_content_t httpdcontent; # customizable
+ typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+@@ -389,7 +389,7 @@ files_tmp_file(httpd_tmp_t)
+ type httpd_tmpfs_t;
+ files_tmpfs_file(httpd_tmpfs_t)
+
+-apache_content_template(user)
++apache_content_template(httpd_user)
+ ubac_constrained(httpd_user_script_t)
+
+ typeattribute httpd_user_content_t httpdcontent;
+@@ -1619,6 +1619,7 @@ allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ allow httpd_script_type self:process { setsched signal_perms };
+ allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_script_type self:unix_dgram_socket create_socket_perms;
++allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
+
+ allow httpd_script_type httpd_t:fd use;
+ allow httpd_script_type httpd_t:process sigchld;
+diff --git a/apcupsd.fc b/apcupsd.fc
+index 1c37fe1..274704f 100644
+--- a/apcupsd.fc
++++ b/apcupsd.fc
+@@ -14,8 +14,8 @@
+
+ /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+-/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+diff --git a/apcupsd.if b/apcupsd.if
+index b6afc90..9c06313 100644
+--- a/apcupsd.if
++++ b/apcupsd.if
+@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to
+-## run httpd_apcupsd_cgi_script.
++## run apcupsd_cgi_script.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
+ #
+ interface(`apcupsd_cgi_script_domtrans',`
+ gen_require(`
+- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
++ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
+ ')
+
+ files_search_var($1)
+- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
++ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
+
+ optional_policy(`
+ apache_search_sys_content($1)
+diff --git a/apcupsd.te b/apcupsd.te
+index b4c43c7..11c215a 100644
+--- a/apcupsd.te
++++ b/apcupsd.te
+@@ -116,19 +116,20 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(apcupsd_cgi)
+-
+- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+-
+- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
+- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+-
+- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
++ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
++
++ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
++ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
++
++ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
++ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
++ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
++ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
++ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
++
++ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
+ ')
+diff --git a/awstats.fc b/awstats.fc
+index 11e6d5f..73b4ea4 100644
+--- a/awstats.fc
++++ b/awstats.fc
+@@ -1,5 +1,5 @@
+ /usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
+-/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+-/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
++/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0)
++/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0)
+
+ /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
+diff --git a/awstats.te b/awstats.te
+index c222135..ffbf2cb 100644
+--- a/awstats.te
++++ b/awstats.te
+@@ -26,6 +26,7 @@ type awstats_var_lib_t;
+ files_type(awstats_var_lib_t)
+
+ apache_content_template(awstats)
++apache_content_alias_template(awstats, awstats)
+
+ ########################################
+ #
+@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+ manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+
+-allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
++allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms;
+
+-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
++can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
+
+ kernel_dontaudit_read_system_state(awstats_t)
+
+@@ -86,13 +87,13 @@ optional_policy(`
+ # CGI local policy
+ #
+
+-apache_read_log(httpd_awstats_script_t)
++apache_read_log(awstats_script_t)
+
+-manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+-manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+-files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
++manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
+
+-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
+-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+-files_search_var_lib(httpd_awstats_script_t)
++read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
++files_search_var_lib(awstats_script_t)
+diff --git a/bugzilla.fc b/bugzilla.fc
+index fb6e397..9efceac 100644
+--- a/bugzilla.fc
++++ b/bugzilla.fc
+@@ -1,4 +1,4 @@
+-/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+-/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0)
++/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
+
+-/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
+diff --git a/bugzilla.if b/bugzilla.if
+index bf0cefa..d9ea246 100644
+--- a/bugzilla.if
++++ b/bugzilla.if
+@@ -12,10 +12,10 @@
+ #
+ interface(`bugzilla_search_content',`
+ gen_require(`
+- type httpd_bugzilla_content_t;
++ type bugzilla_content_t;
+ ')
+
+- allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
++ allow $1 bugzilla_content_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
+ #
+ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ gen_require(`
+- type httpd_bugzilla_script_t;
++ type bugzilla_script_t;
+ ')
+
+- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
++ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
+ ')
+
+ ########################################
+@@ -51,32 +51,32 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ #
+ interface(`bugzilla_admin',`
+ gen_require(`
+- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+- type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
++ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
++ type bugzilla_rw_content_t, bugzilla_script_exec_t;
++ type bugzilla_htaccess_t, bugzilla_tmp_t;
+ ')
+
+- allow $1 httpd_bugzilla_script_t:process signal_perms;
+- ps_process_pattern($1, httpd_bugzilla_script_t)
++ allow $1 bugzilla_script_t:process signal_perms;
++ ps_process_pattern($1, bugzilla_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+- allow $1 httpd_bugzilla_script_t:process ptrace;
++ allow $1 bugzilla_script_t:process ptrace;
+ ')
+
+ files_list_tmp($1)
+- admin_pattern($1, httpd_bugzilla_tmp_t)
++ admin_pattern($1, bugzilla_tmp_t)
+
+- files_list_var_lib(httpd_bugzilla_script_t)
++ files_list_var_lib(bugzilla_script_t)
+
+- admin_pattern($1, httpd_bugzilla_script_exec_t)
+- admin_pattern($1, httpd_bugzilla_script_t)
+- admin_pattern($1, httpd_bugzilla_content_t)
+- admin_pattern($1, httpd_bugzilla_htaccess_t)
+- admin_pattern($1, httpd_bugzilla_ra_content_t)
++ admin_pattern($1, bugzilla_script_exec_t)
++ admin_pattern($1, bugzilla_script_t)
++ admin_pattern($1, bugzilla_content_t)
++ admin_pattern($1, bugzilla_htaccess_t)
++ admin_pattern($1, bugzilla_ra_content_t)
+
+ files_search_tmp($1)
+ files_search_var_lib($1)
+- admin_pattern($1, httpd_bugzilla_rw_content_t)
++ admin_pattern($1, bugzilla_rw_content_t)
+
+ optional_policy(`
+ apache_list_sys_content($1)
+diff --git a/bugzilla.te b/bugzilla.te
+index d9f3061..c62f617 100644
+--- a/bugzilla.te
++++ b/bugzilla.te
+@@ -6,54 +6,55 @@ policy_module(bugzilla, 1.1.0)
+ #
+
+ apache_content_template(bugzilla)
++apache_content_alias_template(bugzilla, bugzilla)
+
+-type httpd_bugzilla_tmp_t;
+-files_tmp_file(httpd_bugzilla_tmp_t)
++type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
++files_tmp_file(bugzilla_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
++allow bugzilla_script_t self:tcp_socket { accept listen };
+
+-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
++corenet_all_recvfrom_netlabel(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
+
+-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
++corenet_sendrecv_http_client_packets(bugzilla_script_t)
++corenet_tcp_connect_http_port(bugzilla_script_t)
++corenet_tcp_sendrecv_http_port(bugzilla_script_t)
+
+-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
++corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
++corenet_tcp_connect_smtp_port(bugzilla_script_t)
++corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
+
+-manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+-manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+-files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
++manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
+
+-files_search_var_lib(httpd_bugzilla_script_t)
++files_search_var_lib(bugzilla_script_t)
+
+-auth_read_passwd(httpd_bugzilla_script_t)
++auth_read_passwd(bugzilla_script_t)
+
+-dev_read_sysfs(httpd_bugzilla_script_t)
++dev_read_sysfs(bugzilla_script_t)
+
+-sysnet_read_config(httpd_bugzilla_script_t)
+-sysnet_use_ldap(httpd_bugzilla_script_t)
++sysnet_read_config(bugzilla_script_t)
++sysnet_use_ldap(bugzilla_script_t)
+
+-miscfiles_read_certs(httpd_bugzilla_script_t)
++miscfiles_read_certs(bugzilla_script_t)
+
+ optional_policy(`
+- mta_send_mail(httpd_bugzilla_script_t)
++ mta_send_mail(bugzilla_script_t)
+ ')
+
+ optional_policy(`
+- mysql_stream_connect(httpd_bugzilla_script_t)
+- mysql_tcp_connect(httpd_bugzilla_script_t)
++ mysql_stream_connect(bugzilla_script_t)
++ mysql_tcp_connect(bugzilla_script_t)
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(httpd_bugzilla_script_t)
+- postgresql_tcp_connect(httpd_bugzilla_script_t)
++ postgresql_stream_connect(bugzilla_script_t)
++ postgresql_tcp_connect(bugzilla_script_t)
+ ')
+diff --git a/collectd.fc b/collectd.fc
+index 2e7d7ed..8d70290 100644
+--- a/collectd.fc
++++ b/collectd.fc
+@@ -8,4 +8,4 @@
+
+ /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
+
+-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
++/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
+diff --git a/collectd.te b/collectd.te
+index dc0423c..d078b96 100644
+--- a/collectd.te
++++ b/collectd.te
+@@ -30,9 +30,10 @@ type collectd_unit_file_t;
+ systemd_unit_file(collectd_unit_file_t)
+
+ apache_content_template(collectd)
++apache_content_alias_template(collectd, collectd)
+
+-type httpd_collectd_script_tmp_t;
+-files_tmp_file(httpd_collectd_script_tmp_t)
++type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
++files_tmp_file(collectd_script_tmp_t)
+
+ ########################################
+ #
+@@ -102,13 +103,13 @@ optional_policy(`
+ #
+
+
+-files_search_var_lib(httpd_collectd_script_t)
+-read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+-list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+-miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++files_search_var_lib(collectd_script_t)
++read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
+
+-manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+-manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+-files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
++manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
+
+-auth_read_passwd(httpd_collectd_script_t)
++auth_read_passwd(collectd_script_t)
+diff --git a/cvs.fc b/cvs.fc
+index 75c8be9..e07e602 100644
+--- a/cvs.fc
++++ b/cvs.fc
+@@ -4,10 +4,10 @@
+
+ /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
+
+-/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
+
+ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+ /var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0)
+
+-/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
+diff --git a/cvs.te b/cvs.te
+index f98a932..c3502c3 100644
+--- a/cvs.te
++++ b/cvs.te
+@@ -125,9 +125,10 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(cvs)
++ apache_content_alias_template(cvs, cvs)
+
+- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+- files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
++ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
++ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
+ ')
+diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
+index 8c44697..5e44c5e 100644
+--- a/dirsrv-admin.fc
++++ b/dirsrv-admin.fc
+@@ -6,8 +6,8 @@
+ /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+ /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+-/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+
+ /usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+ /usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+diff --git a/dirsrv-admin.if b/dirsrv-admin.if
+index 30416f2..e360d38 100644
+--- a/dirsrv-admin.if
++++ b/dirsrv-admin.if
+@@ -29,13 +29,13 @@ interface(`dirsrvadmin_run_exec',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dirsrvadmin_run_httpd_script_exec',`
++interface(`dirsrvadmin_run_script_exec',`
+ gen_require(`
+- type httpd_dirsrvadmin_script_exec_t;
++ type dirsrvadmin_script_exec_t;
+ ')
+
+- allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
+- can_exec($1, httpd_dirsrvadmin_script_exec_t)
++ allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
++ can_exec($1, dirsrvadmin_script_exec_t)
+ ')
+
+ ########################################
+diff --git a/dirsrv-admin.te b/dirsrv-admin.te
+index 021c5ae..37afbd4 100644
+--- a/dirsrv-admin.te
++++ b/dirsrv-admin.te
+@@ -70,59 +70,60 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(dirsrvadmin)
++ apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+
+- allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
+- allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+- allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+- allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+- allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+- allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+- allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++ allow dirsrvadmin_script_t self:process { getsched getpgid };
++ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++ allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
++ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++ allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++ allow dirsrvadmin_script_t self:sem create_sem_perms;
+
+
+- manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+- files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
++ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
++ files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
+- kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++ kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+
+
+- corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
+- corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
+- corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++ corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
++ corenet_udp_bind_generic_node(dirsrvadmin_script_t)
++ corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
+
+- corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
+- corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+- corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+- corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_bind_http_port(dirsrvadmin_script_t)
++ corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
++ corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
++ corenet_tcp_connect_http_port(dirsrvadmin_script_t)
+
+- files_search_var_lib(httpd_dirsrvadmin_script_t)
++ files_search_var_lib(dirsrvadmin_script_t)
+
+- sysnet_read_config(httpd_dirsrvadmin_script_t)
++ sysnet_read_config(dirsrvadmin_script_t)
+
+- manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+- manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+- files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ optional_policy(`
+- apache_read_modules(httpd_dirsrvadmin_script_t)
+- apache_read_config(httpd_dirsrvadmin_script_t)
+- apache_signal(httpd_dirsrvadmin_script_t)
+- apache_signull(httpd_dirsrvadmin_script_t)
++ apache_read_modules(dirsrvadmin_script_t)
++ apache_read_config(dirsrvadmin_script_t)
++ apache_signal(dirsrvadmin_script_t)
++ apache_signull(dirsrvadmin_script_t)
+ ')
+
+ optional_policy(`
+ # The CGI scripts must be able to manage dirsrv-admin
+- dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+- dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
+- dirsrv_domtrans(httpd_dirsrvadmin_script_t)
+- dirsrv_signal(httpd_dirsrvadmin_script_t)
+- dirsrv_signull(httpd_dirsrvadmin_script_t)
+- dirsrv_manage_log(httpd_dirsrvadmin_script_t)
+- dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
+- dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
+- dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+- dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+- dirsrv_read_share(httpd_dirsrvadmin_script_t)
++ dirsrvadmin_run_exec(dirsrvadmin_script_t)
++ dirsrvadmin_manage_config(dirsrvadmin_script_t)
++ dirsrv_domtrans(dirsrvadmin_script_t)
++ dirsrv_signal(dirsrvadmin_script_t)
++ dirsrv_signull(dirsrvadmin_script_t)
++ dirsrv_manage_log(dirsrvadmin_script_t)
++ dirsrv_manage_var_lib(dirsrvadmin_script_t)
++ dirsrv_pid_filetrans(dirsrvadmin_script_t)
++ dirsrv_manage_var_run(dirsrvadmin_script_t)
++ dirsrv_manage_config(dirsrvadmin_script_t)
++ dirsrv_read_share(dirsrvadmin_script_t)
+ ')
+ ')
+
+diff --git a/dspam.fc b/dspam.fc
+index 3ea0423..b5fcb77 100644
+--- a/dspam.fc
++++ b/dspam.fc
+@@ -2,7 +2,7 @@
+
+ /usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
+
+-/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
++/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
+
+ /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
+
+@@ -11,7 +11,7 @@
+ /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+ # web
+-/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+-/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
++/var/www/dspam(/.*?) gen_context(system_u:object_r:dspam_content_t,s0)
+
+-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0)
+diff --git a/dspam.te b/dspam.te
+index 37c844b..1ec4d89 100644
+--- a/dspam.te
++++ b/dspam.te
+@@ -75,29 +75,27 @@ logging_send_syslog_msg(dspam_t)
+
+ optional_policy(`
+ apache_content_template(dspam)
++ apache_content_alias_template(dspam, dspam)
+
+- read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
++ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+- files_search_var_lib(httpd_dspam_script_t)
+- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
+- manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+- manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++ files_search_var_lib(dspam_script_t)
+
+- domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
++ domain_dontaudit_read_all_domains_state(dspam_script_t)
+
+- term_dontaudit_search_ptys(httpd_dspam_script_t)
+- term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
+- term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
++ term_dontaudit_search_ptys(dspam_script_t)
++ term_dontaudit_getattr_all_ttys(dspam_script_t)
++ term_dontaudit_getattr_all_ptys(dspam_script_t)
+
+- init_read_utmp(httpd_dspam_script_t)
++ init_read_utmp(dspam_script_t)
+
+- logging_send_syslog_msg(httpd_dspam_script_t)
++ logging_send_syslog_msg(dspam_script_t)
+
+- mta_send_mail(httpd_dspam_script_t)
++ mta_send_mail(dspam_script_t)
+
+ optional_policy(`
+- mysql_tcp_connect(httpd_dspam_script_t)
+- mysql_stream_connect(httpd_dspam_script_t)
++ mysql_tcp_connect(dspam_script_t)
++ mysql_stream_connect(dspam_script_t)
+ ')
+ ')
+
+diff --git a/git.fc b/git.fc
+index 24700f8..6561d56 100644
+--- a/git.fc
++++ b/git.fc
+@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+
+ /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+-/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
++/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
+
+ /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
+-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:git_script_exec_t,s0)
++/var/www/git(/.*)? gen_context(system_u:object_r:git_content_t,s0)
++/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
++/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
+diff --git a/git.te b/git.te
+index 2609364..d3caffa 100644
+--- a/git.te
++++ b/git.te
+@@ -75,6 +75,7 @@ attribute git_daemon;
+ attribute_role git_session_roles;
+
+ apache_content_template(git)
++apache_content_alias_template(git, git)
+
+ type git_system_t, git_daemon;
+ type gitd_exec_t;
+@@ -210,48 +211,48 @@ tunable_policy(`git_system_use_nfs',`
+ # CGI policy
+ #
+
+-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+-files_search_var_lib(httpd_git_script_t)
++list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
++read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
++files_search_var_lib(git_script_t)
+
+-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++files_dontaudit_getattr_tmp_dirs(git_script_t)
+
+-auth_use_nsswitch(httpd_git_script_t)
++auth_use_nsswitch(git_script_t)
+
+ tunable_policy(`git_cgi_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_git_script_t)
++ userdom_search_user_home_dirs(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+- fs_getattr_nfs(httpd_git_script_t)
+- fs_list_nfs(httpd_git_script_t)
+- fs_read_nfs_files(httpd_git_script_t)
++ fs_getattr_nfs(git_script_t)
++ fs_list_nfs(git_script_t)
++ fs_read_nfs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_nfs_files(httpd_git_script_t)
++ fs_dontaudit_read_nfs_files(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+- fs_getattr_cifs(httpd_git_script_t)
+- fs_list_cifs(httpd_git_script_t)
+- fs_read_cifs_files(httpd_git_script_t)
++ fs_getattr_cifs(git_script_t)
++ fs_list_cifs(git_script_t)
++ fs_read_cifs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_cifs_files(httpd_git_script_t)
++ fs_dontaudit_read_cifs_files(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_use_cifs',`
+- fs_getattr_cifs(httpd_git_script_t)
+- fs_list_cifs(httpd_git_script_t)
+- fs_read_cifs_files(httpd_git_script_t)
++ fs_getattr_cifs(git_script_t)
++ fs_list_cifs(git_script_t)
++ fs_read_cifs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_cifs_files(httpd_git_script_t)
++ fs_dontaudit_read_cifs_files(git_script_t)
+ ')
+
+ tunable_policy(`git_cgi_use_nfs',`
+- fs_getattr_nfs(httpd_git_script_t)
+- fs_list_nfs(httpd_git_script_t)
+- fs_read_nfs_files(httpd_git_script_t)
++ fs_getattr_nfs(git_script_t)
++ fs_list_nfs(git_script_t)
++ fs_read_nfs_files(git_script_t)
+ ',`
+- fs_dontaudit_read_nfs_files(httpd_git_script_t)
++ fs_dontaudit_read_nfs_files(git_script_t)
+ ')
+
+ ########################################
+diff --git a/lightsquid.fc b/lightsquid.fc
+index 044390c..63e2058 100644
+--- a/lightsquid.fc
++++ b/lightsquid.fc
+@@ -1,11 +1,11 @@
+ /etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0)
+
+-/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+-/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
++/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0)
++/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
+
+-/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
++/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
+
+ /var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
+
+-/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+-/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
++/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0)
++/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0)
+diff --git a/lightsquid.te b/lightsquid.te
+index 75854ed..6c7855e 100644
+--- a/lightsquid.te
++++ b/lightsquid.te
+@@ -13,18 +13,18 @@ type lightsquid_exec_t;
+ application_domain(lightsquid_t, lightsquid_exec_t)
+ role lightsquid_roles types lightsquid_t;
+
+-type lightsquid_rw_content_t;
+-files_type(lightsquid_rw_content_t)
++type lightsquid_report_content_t;
++files_type(lightsquid_report_content_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
++manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir)
+
+ corecmd_exec_bin(lightsquid_t)
+ corecmd_exec_shell(lightsquid_t)
+@@ -36,10 +36,11 @@ squid_read_log(lightsquid_t)
+
+ optional_policy(`
+ apache_content_template(lightsquid)
++ apache_content_alias_template(lightsquid, lightsquid)
+
+- list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+- read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+- read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
++ list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
++ read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
++ read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+ ')
+
+ optional_policy(`
+diff --git a/man2html.fc b/man2html.fc
+index 82f6255..3686732 100644
+--- a/man2html.fc
++++ b/man2html.fc
+@@ -1,5 +1,5 @@
+-/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+-/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+-/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
+
+-/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
++/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0)
+diff --git a/man2html.if b/man2html.if
+index fe43dea..53eaf61 100644
+--- a/man2html.if
++++ b/man2html.if
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Transition to httpd_man2html_script.
++## Transition to man2html_script.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,18 +10,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_domtrans',`
++interface(`man2html_script_domtrans',`
+ gen_require(`
+- type httpd_man2html_script_t, httpd_man2html_script_exec_t;
++ type man2html_script_t, man2html_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+- domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
++ domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search httpd_man2html_script cache directories.
++## Search man2html_script content directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -29,18 +29,19 @@ interface(`httpd_man2html_script_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_search_cache',`
++interface(`man2html_search_content',`
+ gen_require(`
+- type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
+- allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
++ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+ files_search_var($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read httpd_man2html_script cache files.
++## Read man2html cache files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -48,19 +49,22 @@ interface(`httpd_man2html_script_search_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_read_cache_files',`
++interface(`man2html_read_content_files',`
+ gen_require(`
+- type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+- read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
++ read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++ read_files_pattern($1, man2html_content_t, man2html_content_t)
+ ')
+
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete
+-## httpd_man2html_script cache files.
++## man2html content files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -68,18 +72,21 @@ interface(`httpd_man2html_script_read_cache_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_manage_cache_files',`
++interface(`man2html_manage_content_files',`
+ gen_require(`
+- type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+- manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++ manage_files_pattern($1, man2html_content_t, man2html_content_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage httpd_man2html_script cache dirs.
++## Create, read, write, and delete
++## man2html content dirs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -87,20 +94,21 @@ interface(`httpd_man2html_script_manage_cache_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_manage_cache_dirs',`
++interface(`man2html_manage_content_dirs',`
+ gen_require(`
+- type httpd_man2html_script_cache_t;
++ type man2html_content_t;
++ type man2html_rw_content_t;
+ ')
+
+ files_search_var($1)
+- manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++ manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++ manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
+ ')
+
+-
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+-## an httpd_man2html_script environment
++## an man2html environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -108,17 +116,19 @@ interface(`httpd_man2html_script_manage_cache_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_admin',`
++interface(`man2html_admin',`
+ gen_require(`
+- type httpd_man2html_script_t;
+- type httpd_man2html_script_cache_t;
++ type man2html_script_t;
++ type man2html_rw_content_t;
++ type man2html_content_t;
+ ')
+
+- allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
+- ps_process_pattern($1, httpd_man2html_script_t)
++ allow $1 man2html_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, man2html_script_t)
+
+ files_search_var($1)
+- admin_pattern($1, httpd_man2html_script_cache_t)
++ admin_pattern($1, man2html_content_t)
++ admin_pattern($1, man2html_rw_content_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+diff --git a/man2html.te b/man2html.te
+index 9e634bd..24b56e9 100644
+--- a/man2html.te
++++ b/man2html.te
+@@ -6,23 +6,17 @@ policy_module(man2html, 1.0.0)
+ #
+
+
+-type httpd_man2html_script_cache_t;
+-files_type(httpd_man2html_script_cache_t)
+-
+ ########################################
+ #
+-# httpd_man2html_script local policy
++# man2html_script local policy
+ #
+
+ optional_policy(`
+-
+ apache_content_template(man2html)
++ apache_content_alias_template(man2html, man2html)
+
+- allow httpd_man2html_script_t self:process { fork };
+-
+- manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+- manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+- manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+- files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
++ allow man2html_script_t self:process fork;
+
++ typealias man2html_rw_content_t alias man2html_script_cache_t;
++ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+ ')
+diff --git a/mediawiki.fc b/mediawiki.fc
+index 99f7c41..93ec6db 100644
+--- a/mediawiki.fc
++++ b/mediawiki.fc
+@@ -1,8 +1,8 @@
+-/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+-/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+-/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+
+-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
+
+-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
++/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
+diff --git a/mediawiki.if b/mediawiki.if
+index 1c1d012..9b183e6 100644
+--- a/mediawiki.if
++++ b/mediawiki.if
+@@ -13,12 +13,12 @@
+ #
+ interface(`mediawiki_read_tmp_files',`
+ gen_require(`
+- type httpd_mediawiki_tmp_t;
++ type mediawiki_tmp_t;
+ ')
+
+ files_search_tmp($1)
+- read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+- read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
++ read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+ ')
+
+ #######################################
+@@ -33,8 +33,8 @@ interface(`mediawiki_read_tmp_files',`
+ #
+ interface(`mediawiki_delete_tmp_files',`
+ gen_require(`
+- type httpd_mediawiki_tmp_t;
++ type mediawiki_tmp_t;
+ ')
+
+- delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+ ')
+diff --git a/mediawiki.te b/mediawiki.te
+index 212712c..fcbc191 100644
+--- a/mediawiki.te
++++ b/mediawiki.te
+@@ -5,16 +5,26 @@ policy_module(mediawiki, 1.0.0)
+ # Declarations
+ #
+
+-optional_policy(`
+-
+- apache_content_template(mediawiki)
++type mediawiki_tmp_t;
++files_tmp_file(mediawiki_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+- files_search_var_lib(httpd_mediawiki_script_t)
++optional_policy(`
++
++ apache_content_template(mediawiki)
++ apache_content_alias_template(mediawiki, mediawiki)
++
++ manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++ files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file })
++
++ files_search_var_lib(mediawiki_script_t)
+
+- miscfiles_read_tetex_data(httpd_mediawiki_script_t)
++ miscfiles_read_tetex_data(mediawiki_script_t)
+ ')
+diff --git a/mojomojo.fc b/mojomojo.fc
+index 7b827ca..5ee8a0f 100644
+--- a/mojomojo.fc
++++ b/mojomojo.fc
+@@ -1,5 +1,5 @@
+-/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
++/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0)
+
+-/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
++/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0)
+
+-/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
++/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0)
+diff --git a/mojomojo.te b/mojomojo.te
+index 9556487..25d1d33 100644
+--- a/mojomojo.te
++++ b/mojomojo.te
+@@ -5,8 +5,8 @@ policy_module(mojomojo, 1.1.0)
+ # Declarations
+ #
+
+-type httpd_mojomojo_tmp_t;
+-files_tmp_file(httpd_mojomojo_tmp_t)
++type mojomojo_tmp_t alias httpd_mojomojo_tmp_t;
++files_tmp_file(mojomojo_tmp_t)
+
+ ########################################
+ #
+@@ -15,31 +15,30 @@ files_tmp_file(httpd_mojomojo_tmp_t)
+
+ optional_policy(`
+ apache_content_template(mojomojo)
++ apache_content_alias_template(mojomojo, mojomojo)
+
+- allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
++ manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
++ manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
++ files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir })
+
+- manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+- manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+- files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
++ corenet_tcp_connect_postgresql_port(mojomojo_script_t)
++ corenet_tcp_connect_mysqld_port(mojomojo_script_t)
++ corenet_tcp_connect_smtp_port(mojomojo_script_t)
++ corenet_sendrecv_postgresql_client_packets(mojomojo_script_t)
++ corenet_sendrecv_mysqld_client_packets(mojomojo_script_t)
++ corenet_sendrecv_smtp_client_packets(mojomojo_script_t)
+
+- corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
+- corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+- corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+- corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+- corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
+- corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
++ files_search_var_lib(mojomojo_script_t)
+
+- files_search_var_lib(httpd_mojomojo_script_t)
++ sysnet_dns_name_resolve(mojomojo_script_t)
+
+- sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+-
+- mta_send_mail(httpd_mojomojo_script_t)
++ mta_send_mail(mojomojo_script_t)
+
+ optional_policy(`
+- mysql_stream_connect(httpd_mojomojo_script_t)
++ mysql_stream_connect(mojomojo_script_t)
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(httpd_mojomojo_script_t)
++ postgresql_stream_connect(mojomojo_script_t)
+ ')
+ ')
+diff --git a/munin.fc b/munin.fc
+index 4968324..af28bb5 100644
+--- a/munin.fc
++++ b/munin.fc
+@@ -73,7 +73,7 @@
+ /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+-/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+-/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0)
++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0)
++/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
++/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
+diff --git a/munin.if b/munin.if
+index 4c1b6a8..900d083 100644
+--- a/munin.if
++++ b/munin.if
+@@ -209,7 +209,7 @@ interface(`munin_admin',`
+ attribute munin_plugin_domain, munin_plugin_tmp_content;
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
++ type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+ ')
+
+ allow $1 munin_t:process signal_perms;
+@@ -239,5 +239,5 @@ interface(`munin_admin',`
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+- admin_pattern($1, httpd_munin_content_t)
++ admin_pattern($1, munin_content_t)
+ ')
+diff --git a/munin.te b/munin.te
+index cead88c..16b96d0 100644
+--- a/munin.te
++++ b/munin.te
+@@ -44,8 +44,8 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
+ munin_plugin_template(system)
+ munin_plugin_template(unconfined)
+
+-type httpd_munin_script_tmp_t;
+-files_tmp_file(httpd_munin_script_tmp_t)
++type munin_script_tmp_t alias httpd_munin_script_tmp_t;
++files_tmp_file(munin_script_tmp_t)
+
+ ################################
+ #
+@@ -435,22 +435,23 @@ optional_policy(`
+ #
+
+ apache_content_template(munin)
++apache_content_alias_template(munin, munin)
+
+-manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+-manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_dirs_pattern(munin_t, munin_content_t, munin_content_t)
++manage_files_pattern(munin_t, munin_content_t, munin_content_t)
+
+-manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
+-manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
++manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
++manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
+
+-read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
+-read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
++read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
++read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+
+-read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
+-append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
++read_files_pattern(munin_script_t, munin_log_t, munin_log_t)
++append_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+
+-files_search_var_lib(httpd_munin_script_t)
++files_search_var_lib(munin_script_t)
+
+-auth_read_passwd(httpd_munin_script_t)
++auth_read_passwd(munin_script_t)
+
+ optional_policy(`
+ apache_search_sys_content(munin_t)
+diff --git a/mythtv.fc b/mythtv.fc
+index 3a1c423..d62cf88 100644
+--- a/mythtv.fc
++++ b/mythtv.fc
+@@ -1,9 +1,9 @@
+-/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+
+ /var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+ /var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
+-/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++/usr/share/mythtv(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+diff --git a/mythtv.if b/mythtv.if
+index 171f666..e2403dd 100644
+--- a/mythtv.if
++++ b/mythtv.if
+@@ -1,9 +1,9 @@
+
+-## <summary>policy for httpd_mythtv_script</summary>
++## <summary>policy for mythtv_script</summary>
+
+ ########################################
+ ## <summary>
+-## Execute TEMPLATE in the httpd_mythtv_script domin.
++## Execute TEMPLATE in the mythtv_script domin.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -11,13 +11,13 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_mythtv_script_domtrans',`
++interface(`mythtv_script_domtrans',`
+ gen_require(`
+- type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
++ type mythtv_script_t, mythtv_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+- domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
++ domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
+ ')
+
+ #######################################
+@@ -133,15 +133,15 @@ interface(`mythtv_manage_log',`
+ #
+ interface(`mythtv_admin',`
+ gen_require(`
+- type httpd_mythtv_script_t, mythtv_var_lib_t;
++ type mythtv_script_t, mythtv_var_lib_t;
+ type mythtv_var_log_t;
+ ')
+
+- allow $1 httpd_mythtv_script_t:process signal_perms;
+- ps_process_pattern($1, httpd_mythtv_script_t)
++ allow $1 mythtv_script_t:process signal_perms;
++ ps_process_pattern($1, mythtv_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+- allow $1 httpd_mythtv_script_t:process ptrace;
++ allow $1 mythtv_script_t:process ptrace;
+ ')
+
+ logging_list_logs($1)
+diff --git a/mythtv.te b/mythtv.te
+index 90129ac..7a4910c 100644
+--- a/mythtv.te
++++ b/mythtv.te
+@@ -6,6 +6,7 @@ policy_module(mythtv, 1.0.0)
+ #
+
+ apache_content_template(mythtv)
++apache_content_alias_template(mythtv, mythtv)
+
+ type mythtv_var_lib_t;
+ files_type(mythtv_var_lib_t)
+@@ -15,27 +16,27 @@ logging_log_file(mythtv_var_log_t)
+
+ ########################################
+ #
+-# httpd_mythtv_script local policy
++# mythtv_script local policy
+ #
+
+-manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+-manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+-files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
++manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file })
+
+-manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+-manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+-logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
++manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file )
+
+-domain_use_interactive_fds(httpd_mythtv_script_t)
++domain_use_interactive_fds(mythtv_script_t)
+
+-files_read_etc_files(httpd_mythtv_script_t)
++files_read_etc_files(mythtv_script_t)
+
+-fs_read_nfs_files(httpd_mythtv_script_t)
++fs_read_nfs_files(mythtv_script_t)
+
+-miscfiles_read_localization(httpd_mythtv_script_t)
++miscfiles_read_localization(mythtv_script_t)
+
+ optional_policy(`
+- mysql_read_config(httpd_mythtv_script_t)
+- mysql_stream_connect(httpd_mythtv_script_t)
+- mysql_tcp_connect(httpd_mythtv_script_t)
++ mysql_read_config(mythtv_script_t)
++ mysql_stream_connect(mythtv_script_t)
++ mysql_tcp_connect(mythtv_script_t)
+ ')
+diff --git a/nagios.fc b/nagios.fc
+index a00cc2d..24a2dec 100644
+--- a/nagios.fc
++++ b/nagios.fc
+@@ -6,8 +6,8 @@
+ /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+ /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+
+ /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+ /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+@@ -19,8 +19,8 @@
+ ifdef(`distro_debian',`
+ /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+ ')
+-/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
+
+ # admin plugins
+ /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+diff --git a/nagios.te b/nagios.te
+index f565a0e..1726e88 100644
+--- a/nagios.te
++++ b/nagios.te
+@@ -186,33 +186,34 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(nagios)
+- typealias httpd_nagios_script_t alias nagios_cgi_t;
+- typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
++ apache_content_alias_template(nagios, nagios)
++ typealias nagios_script_t alias nagios_cgi_t;
++ typealias nagios_script_exec_t alias nagios_cgi_exec_t;
+
+- allow httpd_nagios_script_t self:process signal_perms;
++ allow nagios_script_t self:process signal_perms;
+
+- read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+- read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++ read_files_pattern(nagios_script_t, nagios_t, nagios_t)
++ read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t)
+
+- allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+- allow httpd_nagios_script_t nagios_etc_t:file read_file_perms;
+- allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
++ allow nagios_script_t nagios_etc_t:dir list_dir_perms;
++ allow nagios_script_t nagios_etc_t:file read_file_perms;
++ allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
+
+- files_search_spool(httpd_nagios_script_t)
+- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
++ files_search_spool(nagios_script_t)
++ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+- read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
++ allow nagios_script_t nagios_log_t:dir list_dir_perms;
++ read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
++ read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+
+- kernel_read_system_state(httpd_nagios_script_t)
++ kernel_read_system_state(nagios_script_t)
+
+- domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++ domain_dontaudit_read_all_domains_state(nagios_script_t)
+
+- files_read_etc_runtime_files(httpd_nagios_script_t)
+- files_read_kernel_symbol_table(httpd_nagios_script_t)
++ files_read_etc_runtime_files(nagios_script_t)
++ files_read_kernel_symbol_table(nagios_script_t)
+
+- logging_send_syslog_msg(httpd_nagios_script_t)
++ logging_send_syslog_msg(nagios_script_t)
+ ')
+
+ ########################################
+diff --git a/nut.fc b/nut.fc
+index 41ff159..fac7d7b 100644
+--- a/nut.fc
++++ b/nut.fc
+@@ -11,6 +11,6 @@
+
+ /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+
+-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+diff --git a/nut.te b/nut.te
+index 1701352..249224e 100644
+--- a/nut.te
++++ b/nut.te
+@@ -166,17 +166,18 @@ logging_send_syslog_msg(nut_upsdrvctl_t)
+
+ optional_policy(`
+ apache_content_template(nutups_cgi)
++ apache_content_alias_template(nutups_cgi,nutups_cgi)
+
+- read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
++ read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+
+- corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+- corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+- corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+- corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+- corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+- corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+- corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+- corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
++ corenet_all_recvfrom_netlabel(nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t)
++ corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t)
++ corenet_tcp_connect_ups_port(nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_if(nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_node(nutups_cgi_script_t)
++ corenet_udp_sendrecv_all_ports(nutups_cgi_script_t)
+
+- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
++ sysnet_dns_name_resolve(nutups_cgi_script_t)
+ ')
+diff --git a/openshift.fc b/openshift.fc
+index f2d6119..71ba1bd 100644
+--- a/openshift.fc
++++ b/openshift.fc
+@@ -18,7 +18,7 @@
+ /usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+ /usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+-/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_script_exec_t,s0)
+ /usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+ /usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+diff --git a/openshift.te b/openshift.te
+index cd25e8e..7965e82 100644
+--- a/openshift.te
++++ b/openshift.te
+@@ -294,13 +294,14 @@ optional_policy(`
+ # openshift cgi script policy
+ #
+ apache_content_template(openshift)
+- domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++ apache_content_alias_template(openshift, openshift)
++ domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
+
+ optional_policy(`
+- dbus_system_bus_client(httpd_openshift_script_t)
++ dbus_system_bus_client(openshift_script_t)
+
+ optional_policy(`
+- oddjob_dbus_chat(httpd_openshift_script_t)
++ oddjob_dbus_chat(openshift_script_t)
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
+ ')
+ ')
+diff --git a/pki.if b/pki.if
+index b975b85..798efb6 100644
+--- a/pki.if
++++ b/pki.if
+@@ -134,13 +134,6 @@ template(`pki_apache_template',`
+
+ # need to resolve addresses?
+ auth_use_nsswitch($1_t)
+-
+- #pki_apache_domain_signal(httpd_t)
+- #pki_apache_domain_signal(httpd_t)
+- #pki_manage_apache_run(httpd_t)
+- #pki_manage_apache_config_files(httpd_t)
+- #pki_manage_apache_log_files(httpd_t)
+- #pki_manage_apache_lib(httpd_t)
+ ')
+
+ #######################################
+diff --git a/pki.te b/pki.te
+index 17f5d18..d656f71 100644
+--- a/pki.te
++++ b/pki.te
+@@ -43,7 +43,6 @@ typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_
+ typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+ typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+ typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
+-# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
+
+
+ # pki policy types
+@@ -126,10 +125,6 @@ miscfiles_read_hwdata(pki_tomcat_t)
+ userdom_manage_user_tmp_dirs(pki_tomcat_t)
+ userdom_manage_user_tmp_files(pki_tomcat_t)
+
+-# forward proxy
+-# need to define ports to fix this
+-#corenet_tcp_connect_pki_tomcat_port(httpd_t)
+-
+ # for crl publishing
+ allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
+
+@@ -166,9 +161,6 @@ corenet_tcp_connect_pki_tks_port(pki_tps_t)
+
+ files_exec_usr_files(pki_tps_t)
+
+-# why do I need to add this?
+-#allow httpd_t httpd_config_t:file execute;
+-
+ ######################################
+ #
+ # ra local policy
+@@ -268,13 +260,8 @@ optional_policy(`
+ apache_list_modules(pki_apache_domain)
+ apache_read_config(pki_apache_domain)
+ apache_exec(pki_apache_domain)
+- apache_exec_suexec(pki_apache_domain)
++ apache_exec_suexec(pki_apache_domain)
+ apache_entrypoint(pki_apache_domain)
+-
+- # should be started using a script which will execute httpd
+- # start up httpd in pki_apache_domain mode
+- #can_exec(pki_apache_domain, httpd_config_t)
+- #can_exec(pki_apache_domain, httpd_suexec_exec_t)
+ ')
+
+ # allow rpm -q in init scripts
+diff --git a/prelude.fc b/prelude.fc
+index 8dbc763..b580f85 100644
+--- a/prelude.fc
++++ b/prelude.fc
+@@ -12,7 +12,7 @@
+
+ /usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+-/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
++/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0)
+
+ /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
+
+diff --git a/prelude.te b/prelude.te
+index 509fd0a..e1f4f70 100644
+--- a/prelude.te
++++ b/prelude.te
+@@ -265,27 +265,28 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(prewikka)
++ apache_content_alias_template(prewikka, prewikka)
+
+- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++ can_exec(prewikka_script_t, prewikka_script_exec_t)
+
+- files_search_tmp(httpd_prewikka_script_t)
++ files_search_tmp(prewikka_script_t)
+
+- kernel_read_sysctl(httpd_prewikka_script_t)
+- kernel_search_network_sysctl(httpd_prewikka_script_t)
++ kernel_read_sysctl(prewikka_script_t)
++ kernel_search_network_sysctl(prewikka_script_t)
+
+- auth_use_nsswitch(httpd_prewikka_script_t)
++ auth_use_nsswitch(prewikka_script_t)
+
+- logging_send_syslog_msg(httpd_prewikka_script_t)
++ logging_send_syslog_msg(prewikka_script_t)
+
+- apache_search_sys_content(httpd_prewikka_script_t)
++ apache_search_sys_content(prewikka_script_t)
+
+ optional_policy(`
+- mysql_stream_connect(httpd_prewikka_script_t)
+- mysql_tcp_connect(httpd_prewikka_script_t)
++ mysql_stream_connect(prewikka_script_t)
++ mysql_tcp_connect(prewikka_script_t)
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(httpd_prewikka_script_t)
+- postgresql_tcp_connect(httpd_prewikka_script_t)
++ postgresql_stream_connect(prewikka_script_t)
++ postgresql_tcp_connect(prewikka_script_t)
+ ')
+ ')
+diff --git a/smokeping.fc b/smokeping.fc
+index 3359819..a231ecb 100644
+--- a/smokeping.fc
++++ b/smokeping.fc
+@@ -2,7 +2,7 @@
+
+ /usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
+
+-/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
++/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0)
+
+ /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
+
+diff --git a/smokeping.te b/smokeping.te
+index ebf575f..26b6da1 100644
+--- a/smokeping.te
++++ b/smokeping.te
+@@ -58,19 +58,20 @@ netutils_domtrans_ping(smokeping_t)
+
+ optional_policy(`
+ apache_content_template(smokeping_cgi)
++ apache_content_alias_template(smokeping_cgi, smokeping_cgi)
+
+- manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+- manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++ manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++ manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
++ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+
+- files_read_etc_files(httpd_smokeping_cgi_script_t)
+- files_search_tmp(httpd_smokeping_cgi_script_t)
+- files_search_var_lib(httpd_smokeping_cgi_script_t)
++ files_read_etc_files(smokeping_cgi_script_t)
++ files_search_tmp(smokeping_cgi_script_t)
++ files_search_var_lib(smokeping_cgi_script_t)
+
+- auth_read_passwd(httpd_smokeping_cgi_script_t)
++ auth_read_passwd(smokeping_cgi_script_t)
+
+- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
++ sysnet_dns_name_resolve(smokeping_cgi_script_t)
+
+- netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
++ netutils_domtrans_ping(smokeping_cgi_script_t)
+ ')
+diff --git a/squid.fc b/squid.fc
+index ebbec17..5b066d3 100644
+--- a/squid.fc
++++ b/squid.fc
+@@ -2,14 +2,14 @@
+ /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+ /etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
++/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0)
+
+ /usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
+
+ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+
+ /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+-/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0)
+
+ /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+
+diff --git a/squid.te b/squid.te
+index 7cb8bec..4ade5f1 100644
+--- a/squid.te
++++ b/squid.te
+@@ -201,24 +201,25 @@ tunable_policy(`squid_use_tproxy',`
+
+ optional_policy(`
+ apache_content_template(squid)
++ apache_content_alias_template(squid, squid)
+
+- allow httpd_squid_script_t self:tcp_socket create_socket_perms;
++ allow squid_script_t self:tcp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+- corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+- corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
+- corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)
++ corenet_all_recvfrom_unlabeled(squid_script_t)
++ corenet_all_recvfrom_netlabel(squid_script_t)
++ corenet_tcp_sendrecv_generic_if(squid_script_t)
++ corenet_tcp_sendrecv_generic_node(squid_script_t)
+
+- corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)
+- corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+- corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
++ corenet_sendrecv_http_cache_client_packets(squid_script_t)
++ corenet_tcp_connect_http_cache_port(squid_script_t)
++ corenet_tcp_sendrecv_http_cache_port(squid_script_t)
+
+- corenet_tcp_connect_squid_port(httpd_squid_script_t)
++ corenet_tcp_connect_squid_port(squid_script_t)
+
+- sysnet_dns_name_resolve(httpd_squid_script_t)
++ sysnet_dns_name_resolve(squid_script_t)
+
+ optional_policy(`
+- squid_read_config(httpd_squid_script_t)
++ squid_read_config(squid_script_t)
+ ')
+ ')
+
+diff --git a/w3c.fc b/w3c.fc
+index 463c799..227feaf 100644
+--- a/w3c.fc
++++ b/w3c.fc
+@@ -1,4 +1,4 @@
+-/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
++/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
+
+-/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+-/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
++/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0)
++/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
+diff --git a/w3c.te b/w3c.te
+index b14d6a9..ac1944e 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -6,29 +6,30 @@ policy_module(w3c, 1.1.0)
+ #
+
+ apache_content_template(w3c_validator)
++apache_content_alias_template(w3c_validator, w3c_validator)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+-corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
+-corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t)
++corenet_all_recvfrom_unlabeled(w3c_validator_script_t)
++corenet_all_recvfrom_netlabel(w3c_validator_script_t)
++corenet_tcp_sendrecv_generic_if(w3c_validator_script_t)
++corenet_tcp_sendrecv_generic_node(w3c_validator_script_t)
+
+-corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_ftp_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_ftp_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t)
+
+-corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_http_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_http_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_http_port(w3c_validator_script_t)
+
+-corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_http_cache_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t)
+
+-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
++miscfiles_read_generic_certs(w3c_validator_script_t)
+
+-sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
++sysnet_dns_name_resolve(w3c_validator_script_t)
+diff --git a/webalizer.fc b/webalizer.fc
+index 64baf67..76c753b 100644
+--- a/webalizer.fc
++++ b/webalizer.fc
+@@ -6,4 +6,4 @@
+
+ /var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
+
+-/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
++/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0)
+diff --git a/webalizer.te b/webalizer.te
+index e0b1983..32cbf8c 100644
+--- a/webalizer.te
++++ b/webalizer.te
+@@ -83,9 +83,8 @@ userdom_dontaudit_search_user_home_content(webalizer_t)
+ optional_policy(`
+ apache_read_log(webalizer_t)
+ apache_content_template(webalizer)
++ apache_content_alias_template(webalizer, webalizer)
+ apache_manage_sys_content(webalizer_t)
+- manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+- manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+ ')
+
+ optional_policy(`
+diff --git a/zoneminder.fc b/zoneminder.fc
+index 8c61505..ceaa219 100644
+--- a/zoneminder.fc
++++ b/zoneminder.fc
+@@ -4,7 +4,7 @@
+
+ /usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
+
+-/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
++/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:zoneminder_script_exec_t,s0)
+
+ /var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
+
+diff --git a/zoneminder.te b/zoneminder.te
+index add28f7..b66e76d 100644
+--- a/zoneminder.te
++++ b/zoneminder.te
+@@ -164,24 +164,24 @@ optional_policy(`
+
+ optional_policy(`
+ apache_content_template(zoneminder)
++ apache_content_alias_template(zoneminder, zoneminder)
+
+ # need more testing
+- #allow httpd_zoneminder_script_t self:shm create_shm_perms;
++ #allow zoneminder_script_t self:shm create_shm_perms;
+
+- manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++ manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+
+- rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++ rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+
+- zoneminder_stream_connect(httpd_zoneminder_script_t)
++ zoneminder_stream_connect(zoneminder_script_t)
+
+- can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
++ can_exec(zoneminder_t, zoneminder_script_exec_t)
+
+- files_search_var_lib(httpd_zoneminder_script_t)
++ files_search_var_lib(zoneminder_script_t)
+
+- logging_send_syslog_msg(httpd_zoneminder_script_t)
++ logging_send_syslog_msg(zoneminder_script_t)
+
+ optional_policy(`
+- mysql_stream_connect(httpd_zoneminder_script_t)
++ mysql_stream_connect(zoneminder_script_t)
+ ')
+-
+ ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5e63791..c91233a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -509,7 +509,7 @@ index 058d908..9d57403 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..6ba0357 100644
+index eb50f07..15c0d4e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -759,7 +759,7 @@ index eb50f07..6ba0357 100644
')
optional_policy(`
-@@ -222,6 +237,16 @@ optional_policy(`
+@@ -222,6 +237,20 @@ optional_policy(`
')
optional_policy(`
@@ -767,6 +767,10 @@ index eb50f07..6ba0357 100644
+')
+
+optional_policy(`
++ mcelog_read_log(abrt_t)
++')
++
++optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+ mozilla_plugin_read_rw_files(abrt_t)
+')
@@ -776,7 +780,7 @@ index eb50f07..6ba0357 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -233,6 +258,7 @@ optional_policy(`
+@@ -233,6 +262,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -784,7 +788,7 @@ index eb50f07..6ba0357 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -243,6 +269,7 @@ optional_policy(`
+@@ -243,6 +273,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -792,7 +796,7 @@ index eb50f07..6ba0357 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +280,17 @@ optional_policy(`
+@@ -253,9 +284,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -811,7 +815,7 @@ index eb50f07..6ba0357 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +301,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +305,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -826,7 +830,7 @@ index eb50f07..6ba0357 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +320,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +324,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -834,7 +838,7 @@ index eb50f07..6ba0357 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +329,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +333,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -855,7 +859,7 @@ index eb50f07..6ba0357 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +350,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +354,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -882,7 +886,7 @@ index eb50f07..6ba0357 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +386,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +390,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -896,7 +900,7 @@ index eb50f07..6ba0357 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +404,11 @@ optional_policy(`
+@@ -343,10 +408,11 @@ optional_policy(`
#######################################
#
@@ -910,7 +914,7 @@ index eb50f07..6ba0357 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +427,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +431,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -962,7 +966,7 @@ index eb50f07..6ba0357 100644
#######################################
#
-@@ -404,7 +476,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +480,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -971,7 +975,7 @@ index eb50f07..6ba0357 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +485,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +489,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1015,7 +1019,7 @@ index eb50f07..6ba0357 100644
')
#######################################
-@@ -430,10 +528,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +532,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -21332,10 +21336,12 @@ index aa0ef6e..02bdb68 100644
+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
-index 23ab808..4a801b5 100644
+index 23ab808..84735a8 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
-@@ -2,6 +2,8 @@
+@@ -1,13 +1,16 @@
+ /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0)
++/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
@@ -21344,8 +21350,16 @@ index 23ab808..4a801b5 100644
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
+-/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
++/var/log/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
+-/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
++/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+ /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..1e8b244 100644
+index 19aa0b8..e34a540 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -21489,7 +21503,7 @@ index 19aa0b8..1e8b244 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
@@ -21545,16 +21559,19 @@ index 19aa0b8..1e8b244 100644
+#
+interface(`dnsmasq_filetrans_named_content',`
+ gen_require(`
++ type dnsmasq_etc_t;
+ type dnsmasq_var_run_t;
+ ')
+
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
++ files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
++ files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
')
########################################
-@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -21575,7 +21592,7 @@ index 19aa0b8..1e8b244 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -37952,6 +37969,36 @@ index e6136fd..f5203f5 100644
ifdef(`distro_debian',`
optional_policy(`
+diff --git a/mcelog.if b/mcelog.if
+index f89651e..ea89ab1 100644
+--- a/mcelog.if
++++ b/mcelog.if
+@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
+ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+ ')
+
++######################################
++## <summary>
++## Read mcelog logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mcelog_read_log',`
++ gen_require(`
++ type mcelog_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to
diff --git a/mcelog.te b/mcelog.te
index 59b3b3d..064c4fd 100644
--- a/mcelog.te
@@ -66426,10 +66473,10 @@ index 83eb09e..b48c931 100644
+')
+
diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..1de192b 100644
+index 70ab68b..32dec67 100644
--- a/quantum.fc
+++ b/quantum.fc
-@@ -1,10 +1,26 @@
+@@ -1,10 +1,28 @@
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
@@ -66440,6 +66487,8 @@ index 70ab68b..1de192b 100644
-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
@@ -66779,7 +66828,7 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b..d850703 100644
+index 8644d8b..b744b5d 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0)
@@ -66906,7 +66955,7 @@ index 8644d8b..d850703 100644
+logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
-+sysnet_domtrans_ifconfig(neutron_t)
++sysnet_exec_ifconfig(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
@@ -92905,7 +92954,7 @@ index facdee8..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index f03dcf5..007e3ca 100644
+index f03dcf5..d58e3de 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,176 @@
@@ -94330,7 +94379,7 @@ index f03dcf5..007e3ca 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1094,239 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1094,246 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -94655,6 +94704,13 @@ index f03dcf5..007e3ca 100644
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
++
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
+
@@ -94668,13 +94724,13 @@ index f03dcf5..007e3ca 100644
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+files_read_kernel_modules(svirt_qemu_net_t)
+
+fs_noxattr_type(svirt_sandbox_file_t)
@@ -94706,7 +94762,7 @@ index f03dcf5..007e3ca 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1346,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -94721,7 +94777,7 @@ index f03dcf5..007e3ca 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1357,8 @@ optional_policy(`
+@@ -1192,9 +1364,8 @@ optional_policy(`
########################################
#
@@ -94732,7 +94788,7 @@ index f03dcf5..007e3ca 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1371,194 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1378,193 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -94928,7 +94984,6 @@ index f03dcf5..007e3ca 100644
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
-+
diff --git a/vlock.te b/vlock.te
index 6b72968..de409cc 100644
--- a/vlock.te
@@ -98508,10 +98563,10 @@ index 3fded1c..5729b83 100644
-miscfiles_read_localization(zarafa_domain)
+dev_read_sysfs(zarafa_domain)
diff --git a/zebra.fc b/zebra.fc
-index 28ee4ca..e1b30b2 100644
+index 28ee4ca..bc37f76 100644
--- a/zebra.fc
+++ b/zebra.fc
-@@ -1,21 +1,22 @@
+@@ -1,21 +1,34 @@
-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-
@@ -98525,18 +98580,30 @@ index 28ee4ca..e1b30b2 100644
-/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-+
-+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
-+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
-+
-+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
++/etc/rc\.d/init\.d/babeld -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/isisd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/babeld.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/bgpd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/isisd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ospf6d.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ospfd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ripd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ripngd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/zebra.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/babeld -- gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/isisd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
++
++/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
++/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
@@ -98548,7 +98615,7 @@ index 28ee4ca..e1b30b2 100644
-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
-index 3416401..ef64e73 100644
+index 3416401..676925c 100644
--- a/zebra.if
+++ b/zebra.if
@@ -1,8 +1,8 @@
@@ -98580,8 +98647,33 @@ index 3416401..ef64e73 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -44,8 +43,8 @@ interface(`zebra_stream_connect',`
+@@ -42,10 +41,33 @@ interface(`zebra_stream_connect',`
+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
+ ')
++#######################################
++## <summary>
++## Execute zebra services in the zebra domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`zebra_systemctl',`
++ gen_require(`
++ type zebra_t;
++ type zebra_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 zebra_unit_file_t:file read_file_perms;
++ allow $1 zebra_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, zebra_t)
++')
++
########################################
## <summary>
-## All of the rules required to
@@ -98591,7 +98683,7 @@ index 3416401..ef64e73 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -54,7 +53,7 @@ interface(`zebra_stream_connect',`
+@@ -54,7 +76,7 @@ interface(`zebra_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -98600,7 +98692,7 @@ index 3416401..ef64e73 100644
## </summary>
## </param>
## <rolecap/>
-@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
+@@ -62,13 +84,16 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
@@ -98612,17 +98704,28 @@ index 3416401..ef64e73 100644
- allow $1 zebra_t:process { ptrace signal_perms };
+ allow $1 zebra_t:process signal_perms;
ps_process_pattern($1, zebra_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 zebra_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 zebra_initrc_exec_t system_r;
+@@ -85,4 +110,8 @@ interface(`zebra_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, zebra_var_run_t)
++
++ zebra_systemctl($1)
++ admin_pattern($1, zebra_unit_file_t)
++ allow $1 zebra_unit_file_t:service all_service_perms;
+ ')
diff --git a/zebra.te b/zebra.te
-index 2e80d04..dd1513f 100644
+index 2e80d04..3a76167 100644
--- a/zebra.te
+++ b/zebra.te
-@@ -6,19 +6,19 @@ policy_module(zebra, 1.13.0)
+@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
#
## <desc>
@@ -98648,7 +98751,14 @@ index 2e80d04..dd1513f 100644
type zebra_initrc_exec_t;
init_script_file(zebra_initrc_exec_t)
-@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t)
+
++type zebra_unit_file_t;
++systemd_unit_file(zebra_unit_file_t)
++
+ type zebra_log_t;
+ logging_log_file(zebra_log_t)
+
+@@ -40,26 +43,27 @@ files_pid_file(zebra_var_run_t)
allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
@@ -98676,11 +98786,16 @@ index 2e80d04..dd1513f 100644
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+-allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
+-files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+# /tmp/.bgpd is such a bad idea!
- allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
- files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
++manage_sock_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
++manage_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
++files_tmp_filetrans(zebra_t, zebra_tmp_t, { file sock_file })
-@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t)
+ manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+ manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+@@ -71,7 +75,6 @@ kernel_read_network_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
@@ -98688,7 +98803,7 @@ index 2e80d04..dd1513f 100644
corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_generic_if(zebra_t)
corenet_udp_sendrecv_generic_if(zebra_t)
-@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
+@@ -79,48 +82,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
corenet_tcp_sendrecv_generic_node(zebra_t)
corenet_udp_sendrecv_generic_node(zebra_t)
corenet_raw_sendrecv_generic_node(zebra_t)
@@ -98751,7 +98866,7 @@ index 2e80d04..dd1513f 100644
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
-@@ -139,3 +134,7 @@ optional_policy(`
+@@ -139,3 +138,7 @@ optional_policy(`
optional_policy(`
udev_read_db(zebra_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36ab3f0..19b62e7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,12 +19,13 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-rawhide-base.patch
patch1: policy-rawhide-contrib.patch
+patch2: policy-rawhide-contrib-apache-content.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@@ -315,6 +316,7 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
+%patch2 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
@@ -573,6 +575,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Nov 14 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-3
+- Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh
+
* Thu Nov 14 2013 Dan Walsh<dwalsh@redhat.com> 3.13.1-2
- Fix config.tgz to include lxc_contexts and systemd_contexts