diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ac72c68..16ea301 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5363,7 +5363,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..62570b0 100644
+index b191055..6c1f7f5 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5686,7 +5686,15 @@ index b191055..62570b0 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -295,12 +347,16 @@ network_port(zope, tcp,8021,s0)
+@@ -288,19 +340,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+ network_port(zookeeper_client, tcp,2181,s0)
+ network_port(zookeeper_election, tcp,3888,s0)
+ network_port(zookeeper_leader, tcp,2888,s0)
+-network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
++network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0)
+ network_port(zented, tcp,1229,s0, udp,1229,s0)
+ network_port(zope, tcp,8021,s0)
+ 
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
  # these entries just cover any remaining reserved ports not otherwise declared.
  
@@ -44590,7 +44598,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..260ea6c 100644
+index 6e91317..64e135a 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -44687,7 +44695,7 @@ index 6e91317..260ea6c 100644
  # Use (read and write) terminals
  #
 -define(`rw_term_perms', `{ getattr open read write append ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
++define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }')
 +define(`rw_term_perms', `{ rw_inherited_term_perms open }')
  
  #
diff --git a/policy-rawhide-contrib-apache-content.patch b/policy-rawhide-contrib-apache-content.patch
new file mode 100644
index 0000000..0c31ccc
--- /dev/null
+++ b/policy-rawhide-contrib-apache-content.patch
@@ -0,0 +1,2114 @@
+diff --git a/apache.if b/apache.if
+index fac6fe5..804867a 100644
+--- a/apache.if
++++ b/apache.if
+@@ -14,99 +14,123 @@
+ template(`apache_content_template',`
+ 	gen_require(`
+ 		attribute httpd_exec_scripts, httpd_script_exec_type;
+-		type httpd_t, httpd_suexec_t, httpd_log_t;
+-		type httpd_sys_content_t;
++		type httpd_t, httpd_suexec_t;
+ 		attribute httpd_script_type, httpd_content_type;
+ 	')
+ 
+ 	#This type is for webpages
+-	type httpd_$1_content_t; # customizable;
+-	typeattribute httpd_$1_content_t httpd_content_type;
+-	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+-	files_type(httpd_$1_content_t)
++	type $1_content_t; # customizable;
++	typeattribute $1_content_t httpd_content_type;
++	typealias $1_content_t alias httpd_$1_script_ro_t;
++	files_type($1_content_t)
+ 
+ 	# This type is used for .htaccess files
+-	type httpd_$1_htaccess_t, httpd_content_type; # customizable;
+-	typeattribute httpd_$1_htaccess_t httpd_content_type;
+-	files_type(httpd_$1_htaccess_t)
++	type $1_htaccess_t, httpd_content_type; # customizable;
++	typeattribute $1_htaccess_t httpd_content_type;
++	files_type($1_htaccess_t)
+ 
+ 	# Type that CGI scripts run as
+-	type httpd_$1_script_t,	httpd_script_type;
+-	domain_type(httpd_$1_script_t)
+-	role system_r types httpd_$1_script_t;
++	type $1_script_t,	httpd_script_type;
++	domain_type($1_script_t)
++	role system_r types $1_script_t;
+ 
+-	kernel_read_system_state(httpd_$1_script_t)
++	kernel_read_system_state($1_script_t)
+ 
+ 	# This type is used for executable scripts files
+-	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+-	typeattribute httpd_$1_script_exec_t httpd_content_type;
+-	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
++	type $1_script_exec_t, httpd_script_exec_type; # customizable;
++	typeattribute $1_script_exec_t httpd_content_type;
++	domain_entry_file($1_script_t, $1_script_exec_t)
+ 
+-	type httpd_$1_rw_content_t; # customizable
+-	typeattribute httpd_$1_rw_content_t httpd_content_type;
+-	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+-	files_type(httpd_$1_rw_content_t)
++	type $1_rw_content_t; # customizable
++	typeattribute $1_rw_content_t httpd_content_type;
++	typealias $1_rw_content_t alias { $1_script_rw_t };
++	files_type($1_rw_content_t)
+ 
+-	type httpd_$1_ra_content_t, httpd_content_type; # customizable
+-	typeattribute httpd_$1_ra_content_t httpd_content_type;
+-	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+-	files_type(httpd_$1_ra_content_t)
++	type $1_ra_content_t, httpd_content_type; # customizable
++	typeattribute $1_ra_content_t httpd_content_type;
++	typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
++	files_type($1_ra_content_t)
+ 
+ 	# Allow the script process to search the cgi directory, and users directory
+-	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
++	allow $1_script_t $1_content_t:dir search_dir_perms;
+ 
+-	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+-	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
++	can_exec($1_script_t, $1_script_exec_t)
++	allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+ 
+-	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+-	read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+-	append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+-	create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+-	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++	allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++	read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++	append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++	create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
++	read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+ 
+-	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+-	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+-	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
++	allow $1_script_t $1_content_t:dir list_dir_perms;
++	read_files_pattern($1_script_t, $1_content_t, $1_content_t)
++	read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+ 
+-	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
++	manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++	manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++	manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
++	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ 
+ 	# Allow the web server to run scripts and serve pages
+ 	tunable_policy(`httpd_builtin_scripting',`
+-		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+-		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
++		manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++		manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++		manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
++		rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+ 
+-		allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
+-		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+-		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+-		create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+-		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++		allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
++		read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++		append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++		create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
++		read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+ 
+ 	')
+ 
+ 	tunable_policy(`httpd_enable_cgi',`
+-		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
++		allow $1_script_t $1_script_exec_t:file entrypoint;
+ 
+-		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++		domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
+ 
+ 		# privileged users run the script:
+-		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
++		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
+ 
+-		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
+ 
+ 		# apache runs the script:
+-		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+-		allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
++		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
++		allow httpd_t $1_script_t:unix_dgram_socket sendto;
+ 	')
+ ')
+ 
+ ########################################
+ ## <summary>
++##	Create a set of derived types for apache
++##	web content.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving new type names.
++##	</summary>
++## </param>
++## <param name="oldprefix">
++##	<summary>
++##	The prefix to be used for deriving old type names.
++##	</summary>
++## </param>
++#
++template(`apache_content_alias_template',`
++	typealias $1_htaccess_t alias httpd_$2_htaccess_t;
++	typealias $1_script_t alias httpd_$2_script_t;
++	typealias $1_script_exec_t alias httpd_$2_script_exec_t;
++	typealias $1_content_t alias httpd_$2_content_t;
++	typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
++	typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
++')
++
++########################################
++## <summary>
+ ##	Role access for apache
+ ## </summary>
+ ## <param name="role">
+diff --git a/apache.te b/apache.te
+index 0e09bca..85e992e 100644
+--- a/apache.te
++++ b/apache.te
+@@ -370,7 +370,7 @@ type httpd_suexec_tmp_t;
+ files_tmp_file(httpd_suexec_tmp_t)
+ 
+ # setup the system domain for system CGI scripts
+-apache_content_template(sys)
++apache_content_template(httpd_sys)
+ 
+ typeattribute httpd_sys_content_t httpdcontent; # customizable
+ typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+@@ -389,7 +389,7 @@ files_tmp_file(httpd_tmp_t)
+ type httpd_tmpfs_t;
+ files_tmpfs_file(httpd_tmpfs_t)
+ 
+-apache_content_template(user)
++apache_content_template(httpd_user)
+ ubac_constrained(httpd_user_script_t)
+ 
+ typeattribute httpd_user_content_t httpdcontent;
+@@ -1619,6 +1619,7 @@ allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ allow httpd_script_type self:process { setsched signal_perms };
+ allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_script_type self:unix_dgram_socket create_socket_perms;
++allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
+ 
+ allow httpd_script_type httpd_t:fd use;
+ allow httpd_script_type httpd_t:process sigchld;
+diff --git a/apcupsd.fc b/apcupsd.fc
+index 1c37fe1..274704f 100644
+--- a/apcupsd.fc
++++ b/apcupsd.fc
+@@ -14,8 +14,8 @@
+ 
+ /var/run/apcupsd\.pid	--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+ 
+-/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+-/var/www/cgi-bin/apcgui(/.*)?	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
++/var/www/cgi-bin/apcgui(/.*)?	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+diff --git a/apcupsd.if b/apcupsd.if
+index b6afc90..9c06313 100644
+--- a/apcupsd.if
++++ b/apcupsd.if
+@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
+ ########################################
+ ## <summary>
+ ##	Execute a domain transition to
+-##	run httpd_apcupsd_cgi_script.
++##	run apcupsd_cgi_script.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
+ #
+ interface(`apcupsd_cgi_script_domtrans',`
+ 	gen_require(`
+-		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
++		type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
+ 	')
+ 
+ 	files_search_var($1)
+-	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
++	domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
+ 
+ 	optional_policy(`
+ 		apache_search_sys_content($1)
+diff --git a/apcupsd.te b/apcupsd.te
+index b4c43c7..11c215a 100644
+--- a/apcupsd.te
++++ b/apcupsd.te
+@@ -116,19 +116,20 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	apache_content_template(apcupsd_cgi)
+-
+-	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+-	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+-
+-	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+-	corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+-	corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+-	corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+-	corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
+-	corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+-	corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+-	corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+-	corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+-
+-	sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
++	apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
++
++	allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
++	allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
++
++	corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
++	corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
++	corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
++	corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
++	corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
++	corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
++	corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
++	corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
++	corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
++
++	sysnet_dns_name_resolve(apcupsd_cgi_script_t)
+ ')
+diff --git a/awstats.fc b/awstats.fc
+index 11e6d5f..73b4ea4 100644
+--- a/awstats.fc
++++ b/awstats.fc
+@@ -1,5 +1,5 @@
+ /usr/share/awstats/tools/.+\.pl	--	gen_context(system_u:object_r:awstats_exec_t,s0)
+-/usr/share/awstats/wwwroot(/.*)?	gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+-/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
++/usr/share/awstats/wwwroot(/.*)?	gen_context(system_u:object_r:awstats_content_t,s0)
++/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:awstats_script_exec_t,s0)
+ 
+ /var/lib/awstats(/.*)?	gen_context(system_u:object_r:awstats_var_lib_t,s0)
+diff --git a/awstats.te b/awstats.te
+index c222135..ffbf2cb 100644
+--- a/awstats.te
++++ b/awstats.te
+@@ -26,6 +26,7 @@ type awstats_var_lib_t;
+ files_type(awstats_var_lib_t)
+ 
+ apache_content_template(awstats)
++apache_content_alias_template(awstats, awstats)
+ 
+ ########################################
+ #
+@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+ 
+ manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+ 
+-allow awstats_t { httpd_awstats_content_t  httpd_awstats_script_exec_t }:dir search_dir_perms;
++allow awstats_t { awstats_content_t  awstats_script_exec_t }:dir search_dir_perms;
+ 
+-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
++can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
+ 
+ kernel_dontaudit_read_system_state(awstats_t)
+ 
+@@ -86,13 +87,13 @@ optional_policy(`
+ # CGI local policy
+ #
+ 
+-apache_read_log(httpd_awstats_script_t)
++apache_read_log(awstats_script_t)
+ 
+-manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+-manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+-files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
++manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
+ 
+-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+ 
+-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+-files_search_var_lib(httpd_awstats_script_t)
++read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
++files_search_var_lib(awstats_script_t)
+diff --git a/bugzilla.fc b/bugzilla.fc
+index fb6e397..9efceac 100644
+--- a/bugzilla.fc
++++ b/bugzilla.fc
+@@ -1,4 +1,4 @@
+-/usr/share/bugzilla(/.*)?		gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+-/usr/share/bugzilla/.*\.cgi	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/usr/share/bugzilla(/.*)?		gen_context(system_u:object_r:bugzilla_content_t,s0)
++/usr/share/bugzilla/.*\.cgi	--	gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
+ 
+-/var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
++/var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
+diff --git a/bugzilla.if b/bugzilla.if
+index bf0cefa..d9ea246 100644
+--- a/bugzilla.if
++++ b/bugzilla.if
+@@ -12,10 +12,10 @@
+ #
+ interface(`bugzilla_search_content',`
+ 	gen_require(`
+-		type httpd_bugzilla_content_t;
++		type bugzilla_content_t;
+ 	')
+ 
+-	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
++	allow $1 bugzilla_content_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
+ #
+ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ 	gen_require(`
+-		type httpd_bugzilla_script_t;
++		type bugzilla_script_t;
+ 	')
+ 
+-	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
++	dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
+ ')
+ 
+ ########################################
+@@ -51,32 +51,32 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ #
+ interface(`bugzilla_admin',`
+ 	gen_require(`
+-		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+-		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+-		type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
++		type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
++		type bugzilla_rw_content_t, bugzilla_script_exec_t;
++		type bugzilla_htaccess_t, bugzilla_tmp_t;
+ 	')
+ 
+-	allow $1 httpd_bugzilla_script_t:process signal_perms;
+-	ps_process_pattern($1, httpd_bugzilla_script_t)
++	allow $1 bugzilla_script_t:process signal_perms;
++	ps_process_pattern($1, bugzilla_script_t)
+ 
+ 	tunable_policy(`deny_ptrace',`',`
+-		allow $1 httpd_bugzilla_script_t:process ptrace;
++		allow $1 bugzilla_script_t:process ptrace;
+ 	')
+ 
+ 	files_list_tmp($1)
+-	admin_pattern($1, httpd_bugzilla_tmp_t)
++	admin_pattern($1, bugzilla_tmp_t)
+ 
+-	files_list_var_lib(httpd_bugzilla_script_t)
++	files_list_var_lib(bugzilla_script_t)
+ 
+-	admin_pattern($1, httpd_bugzilla_script_exec_t)
+-	admin_pattern($1, httpd_bugzilla_script_t)
+-	admin_pattern($1, httpd_bugzilla_content_t)
+-	admin_pattern($1, httpd_bugzilla_htaccess_t)
+-	admin_pattern($1, httpd_bugzilla_ra_content_t)
++	admin_pattern($1, bugzilla_script_exec_t)
++	admin_pattern($1, bugzilla_script_t)
++	admin_pattern($1, bugzilla_content_t)
++	admin_pattern($1, bugzilla_htaccess_t)
++	admin_pattern($1, bugzilla_ra_content_t)
+ 
+ 	files_search_tmp($1)
+ 	files_search_var_lib($1)
+-	admin_pattern($1, httpd_bugzilla_rw_content_t)
++	admin_pattern($1, bugzilla_rw_content_t)
+ 
+ 	optional_policy(`
+ 		apache_list_sys_content($1)
+diff --git a/bugzilla.te b/bugzilla.te
+index d9f3061..c62f617 100644
+--- a/bugzilla.te
++++ b/bugzilla.te
+@@ -6,54 +6,55 @@ policy_module(bugzilla, 1.1.0)
+ #
+ 
+ apache_content_template(bugzilla)
++apache_content_alias_template(bugzilla, bugzilla)
+ 
+-type httpd_bugzilla_tmp_t;
+-files_tmp_file(httpd_bugzilla_tmp_t)
++type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
++files_tmp_file(bugzilla_tmp_t)
+ 
+ ########################################
+ #
+ # Local policy
+ #
+ 
+-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
++allow bugzilla_script_t self:tcp_socket { accept listen };
+ 
+-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
++corenet_all_recvfrom_netlabel(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
++corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
+ 
+-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
++corenet_sendrecv_http_client_packets(bugzilla_script_t)
++corenet_tcp_connect_http_port(bugzilla_script_t)
++corenet_tcp_sendrecv_http_port(bugzilla_script_t)
+ 
+-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
++corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
++corenet_tcp_connect_smtp_port(bugzilla_script_t)
++corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
+ 
+-manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+-manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+-files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
++manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
++files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
+ 
+-files_search_var_lib(httpd_bugzilla_script_t)
++files_search_var_lib(bugzilla_script_t)
+ 
+-auth_read_passwd(httpd_bugzilla_script_t)
++auth_read_passwd(bugzilla_script_t)
+ 
+-dev_read_sysfs(httpd_bugzilla_script_t)
++dev_read_sysfs(bugzilla_script_t)
+ 
+-sysnet_read_config(httpd_bugzilla_script_t)
+-sysnet_use_ldap(httpd_bugzilla_script_t)
++sysnet_read_config(bugzilla_script_t)
++sysnet_use_ldap(bugzilla_script_t)
+ 
+-miscfiles_read_certs(httpd_bugzilla_script_t)
++miscfiles_read_certs(bugzilla_script_t)
+ 
+ optional_policy(`
+-	mta_send_mail(httpd_bugzilla_script_t)
++	mta_send_mail(bugzilla_script_t)
+ ')
+ 
+ optional_policy(`
+-	mysql_stream_connect(httpd_bugzilla_script_t)
+-	mysql_tcp_connect(httpd_bugzilla_script_t)
++	mysql_stream_connect(bugzilla_script_t)
++	mysql_tcp_connect(bugzilla_script_t)
+ ')
+ 
+ optional_policy(`
+-	postgresql_stream_connect(httpd_bugzilla_script_t)
+-	postgresql_tcp_connect(httpd_bugzilla_script_t)
++	postgresql_stream_connect(bugzilla_script_t)
++	postgresql_tcp_connect(bugzilla_script_t)
+ ')
+diff --git a/collectd.fc b/collectd.fc
+index 2e7d7ed..8d70290 100644
+--- a/collectd.fc
++++ b/collectd.fc
+@@ -8,4 +8,4 @@
+ 
+ /var/run/collectd\.pid	--	gen_context(system_u:object_r:collectd_var_run_t,s0)
+ 
+-/usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
++/usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:collectd_script_exec_t,s0)
+diff --git a/collectd.te b/collectd.te
+index dc0423c..d078b96 100644
+--- a/collectd.te
++++ b/collectd.te
+@@ -30,9 +30,10 @@ type collectd_unit_file_t;
+ systemd_unit_file(collectd_unit_file_t)
+ 
+ apache_content_template(collectd)
++apache_content_alias_template(collectd, collectd)
+ 
+-type httpd_collectd_script_tmp_t;
+-files_tmp_file(httpd_collectd_script_tmp_t)
++type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
++files_tmp_file(collectd_script_tmp_t)
+ 
+ ########################################
+ #
+@@ -102,13 +103,13 @@ optional_policy(`
+ #
+ 
+ 
+-files_search_var_lib(httpd_collectd_script_t)	
+-read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+-list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+-miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++files_search_var_lib(collectd_script_t)	
++read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
+ 
+-manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+-manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+-files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })	
++manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
++files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })	
+ 
+-auth_read_passwd(httpd_collectd_script_t)
++auth_read_passwd(collectd_script_t)
+diff --git a/cvs.fc b/cvs.fc
+index 75c8be9..e07e602 100644
+--- a/cvs.fc
++++ b/cvs.fc
+@@ -4,10 +4,10 @@
+ 
+ /usr/bin/cvs	--	gen_context(system_u:object_r:cvs_exec_t,s0)
+ 
+-/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:cvs_script_exec_t,s0)
+ 
+ /var/cvs(/.*)?	gen_context(system_u:object_r:cvs_data_t,s0)
+ 
+ /var/run/cvs\.pid	--	gen_context(system_u:object_r:cvs_var_run_t,s0)
+ 
+-/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
++/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:cvs_script_exec_t,s0)
+diff --git a/cvs.te b/cvs.te
+index f98a932..c3502c3 100644
+--- a/cvs.te
++++ b/cvs.te
+@@ -125,9 +125,10 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	apache_content_template(cvs)
++	apache_content_alias_template(cvs, cvs)
+ 
+-	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+-	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+-	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+-	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
++	read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
++	manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++	manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++	files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
+ ')
+diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
+index 8c44697..5e44c5e 100644
+--- a/dirsrv-admin.fc
++++ b/dirsrv-admin.fc
+@@ -6,8 +6,8 @@
+ /usr/sbin/start-ds-admin	--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+ /usr/sbin/stop-ds-admin		--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+ 
+-/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+-/usr/lib/dirsrv/dsgw-cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)?	gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+ 
+ /usr/lib/dirsrv/cgi-bin/ds_create    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+ /usr/lib/dirsrv/cgi-bin/ds_remove    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+diff --git a/dirsrv-admin.if b/dirsrv-admin.if
+index 30416f2..e360d38 100644
+--- a/dirsrv-admin.if
++++ b/dirsrv-admin.if
+@@ -29,13 +29,13 @@ interface(`dirsrvadmin_run_exec',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dirsrvadmin_run_httpd_script_exec',`
++interface(`dirsrvadmin_run_script_exec',`
+ 	gen_require(`
+-		type httpd_dirsrvadmin_script_exec_t;
++		type dirsrvadmin_script_exec_t;
+ 	')
+ 
+-	allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
+-	can_exec($1, httpd_dirsrvadmin_script_exec_t)
++	allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
++	can_exec($1, dirsrvadmin_script_exec_t)
+ ')
+ 
+ ########################################
+diff --git a/dirsrv-admin.te b/dirsrv-admin.te
+index 021c5ae..37afbd4 100644
+--- a/dirsrv-admin.te
++++ b/dirsrv-admin.te
+@@ -70,59 +70,60 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	apache_content_template(dirsrvadmin)
++	apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+ 
+-	allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
+-	allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+-	allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+-	allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+-	allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+-	allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+-	allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++	allow dirsrvadmin_script_t self:process { getsched getpgid };
++	allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++	allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++	allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
++	allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++	allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++	allow dirsrvadmin_script_t self:sem create_sem_perms;
+ 
+ 
+-	manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+-	files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
++	manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
++	files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+ 
+-	kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++	kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+ 
+ 
+-	corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
+-	corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
+-	corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++	corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
++	corenet_udp_bind_generic_node(dirsrvadmin_script_t)
++	corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
+ 
+-	corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
+-	corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+-	corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+-	corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++	corenet_tcp_bind_http_port(dirsrvadmin_script_t)
++	corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
++	corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
++	corenet_tcp_connect_http_port(dirsrvadmin_script_t)
+ 
+-	files_search_var_lib(httpd_dirsrvadmin_script_t)
++	files_search_var_lib(dirsrvadmin_script_t)
+ 
+-	sysnet_read_config(httpd_dirsrvadmin_script_t)
++	sysnet_read_config(dirsrvadmin_script_t)
+ 
+-	manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+-	manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+-	files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++	manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++	manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++	files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+ 
+ 	optional_policy(`
+-		apache_read_modules(httpd_dirsrvadmin_script_t)
+-		apache_read_config(httpd_dirsrvadmin_script_t)
+-		apache_signal(httpd_dirsrvadmin_script_t)
+-		apache_signull(httpd_dirsrvadmin_script_t)
++		apache_read_modules(dirsrvadmin_script_t)
++		apache_read_config(dirsrvadmin_script_t)
++		apache_signal(dirsrvadmin_script_t)
++		apache_signull(dirsrvadmin_script_t)
+ 	')
+ 
+ 	optional_policy(`
+ 		# The CGI scripts must be able to manage dirsrv-admin
+-		dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+-		dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
+-		dirsrv_domtrans(httpd_dirsrvadmin_script_t)
+-		dirsrv_signal(httpd_dirsrvadmin_script_t)
+-		dirsrv_signull(httpd_dirsrvadmin_script_t)
+-		dirsrv_manage_log(httpd_dirsrvadmin_script_t)
+-		dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
+-		dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
+-		dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+-		dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+-		dirsrv_read_share(httpd_dirsrvadmin_script_t)
++		dirsrvadmin_run_exec(dirsrvadmin_script_t)
++		dirsrvadmin_manage_config(dirsrvadmin_script_t)
++		dirsrv_domtrans(dirsrvadmin_script_t)
++		dirsrv_signal(dirsrvadmin_script_t)
++		dirsrv_signull(dirsrvadmin_script_t)
++		dirsrv_manage_log(dirsrvadmin_script_t)
++		dirsrv_manage_var_lib(dirsrvadmin_script_t)
++		dirsrv_pid_filetrans(dirsrvadmin_script_t)
++		dirsrv_manage_var_run(dirsrvadmin_script_t)
++		dirsrv_manage_config(dirsrvadmin_script_t)
++		dirsrv_read_share(dirsrvadmin_script_t)
+ 	')
+ ')
+ 
+diff --git a/dspam.fc b/dspam.fc
+index 3ea0423..b5fcb77 100644
+--- a/dspam.fc
++++ b/dspam.fc
+@@ -2,7 +2,7 @@
+ 
+ /usr/bin/dspam	--	gen_context(system_u:object_r:dspam_exec_t,s0)
+ 
+-/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
++/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:dspam_script_exec_t,s0)
+ 
+ /var/lib/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_lib_t,s0)
+ 
+@@ -11,7 +11,7 @@
+ /var/run/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_run_t,s0)
+ 
+ # web
+-/var/www/dspam/.*\.cgi 	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+-/var/www/dspam(/.*?)		gen_context(system_u:object_r:httpd_dspam_content_t,s0)
++/var/www/dspam/.*\.cgi 	--	gen_context(system_u:object_r:dspam_script_exec_t,s0)
++/var/www/dspam(/.*?)		gen_context(system_u:object_r:dspam_content_t,s0)
+ 
+-/var/lib/dspam/data(/.*)?			gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
++/var/lib/dspam/data(/.*)?			gen_context(system_u:object_r:dspam_rw_content_t,s0)
+diff --git a/dspam.te b/dspam.te
+index 37c844b..1ec4d89 100644
+--- a/dspam.te
++++ b/dspam.te
+@@ -75,29 +75,27 @@ logging_send_syslog_msg(dspam_t)
+ 
+ optional_policy(`
+ 	apache_content_template(dspam)
++	apache_content_alias_template(dspam, dspam)
+ 
+-	read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
++	read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+ 
+-	files_search_var_lib(httpd_dspam_script_t)
+-	list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
+-	manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+-	manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++	files_search_var_lib(dspam_script_t)
+ 
+-	domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
++	domain_dontaudit_read_all_domains_state(dspam_script_t)
+ 
+-	term_dontaudit_search_ptys(httpd_dspam_script_t)
+-	term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
+-	term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
++	term_dontaudit_search_ptys(dspam_script_t)
++	term_dontaudit_getattr_all_ttys(dspam_script_t)
++	term_dontaudit_getattr_all_ptys(dspam_script_t)
+ 
+-	init_read_utmp(httpd_dspam_script_t)
++	init_read_utmp(dspam_script_t)
+ 
+-	logging_send_syslog_msg(httpd_dspam_script_t)
++	logging_send_syslog_msg(dspam_script_t)
+ 
+-	mta_send_mail(httpd_dspam_script_t)
++	mta_send_mail(dspam_script_t)
+ 
+ 	optional_policy(`
+-	    mysql_tcp_connect(httpd_dspam_script_t)
+-	    mysql_stream_connect(httpd_dspam_script_t)
++	    mysql_tcp_connect(dspam_script_t)
++	    mysql_stream_connect(dspam_script_t)
+ 	')
+ ')
+ 
+diff --git a/git.fc b/git.fc
+index 24700f8..6561d56 100644
+--- a/git.fc
++++ b/git.fc
+@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
+ 
+ /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
+ 
+-/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+-/var/cache/gitweb-caching(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
++/var/cache/cgit(/.*)?	gen_context(system_u:object_r:git_rw_content_t,s0)
++/var/cache/gitweb-caching(/.*)?	gen_context(system_u:object_r:git_rw_content_t,s0)
+ 
+ /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
+ 
+-/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
+-/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/gitweb-caching/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:git_script_exec_t,s0)
++/var/www/git(/.*)?	gen_context(system_u:object_r:git_content_t,s0)
++/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:git_script_exec_t,s0)
++/var/www/gitweb-caching/gitweb\.cgi	--	gen_context(system_u:object_r:git_script_exec_t,s0)
+diff --git a/git.te b/git.te
+index 2609364..d3caffa 100644
+--- a/git.te
++++ b/git.te
+@@ -75,6 +75,7 @@ attribute git_daemon;
+ attribute_role git_session_roles;
+ 
+ apache_content_template(git)
++apache_content_alias_template(git, git)
+ 
+ type git_system_t, git_daemon;
+ type gitd_exec_t;
+@@ -210,48 +211,48 @@ tunable_policy(`git_system_use_nfs',`
+ # CGI policy
+ #
+ 
+-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+-files_search_var_lib(httpd_git_script_t)
++list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
++read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
++files_search_var_lib(git_script_t)
+ 
+-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++files_dontaudit_getattr_tmp_dirs(git_script_t)
+ 
+-auth_use_nsswitch(httpd_git_script_t)
++auth_use_nsswitch(git_script_t)
+ 
+ tunable_policy(`git_cgi_enable_homedirs',`
+-	userdom_search_user_home_dirs(httpd_git_script_t)
++	userdom_search_user_home_dirs(git_script_t)
+ ')
+ 
+ tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+-	fs_getattr_nfs(httpd_git_script_t)
+-	fs_list_nfs(httpd_git_script_t)
+-	fs_read_nfs_files(httpd_git_script_t)
++	fs_getattr_nfs(git_script_t)
++	fs_list_nfs(git_script_t)
++	fs_read_nfs_files(git_script_t)
+ ',`
+-	fs_dontaudit_read_nfs_files(httpd_git_script_t)
++	fs_dontaudit_read_nfs_files(git_script_t)
+ ')
+ 
+ tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+-	fs_getattr_cifs(httpd_git_script_t)
+-	fs_list_cifs(httpd_git_script_t)
+-	fs_read_cifs_files(httpd_git_script_t)
++	fs_getattr_cifs(git_script_t)
++	fs_list_cifs(git_script_t)
++	fs_read_cifs_files(git_script_t)
+ ',`
+-	fs_dontaudit_read_cifs_files(httpd_git_script_t)
++	fs_dontaudit_read_cifs_files(git_script_t)
+ ')
+ 
+ tunable_policy(`git_cgi_use_cifs',`
+-	fs_getattr_cifs(httpd_git_script_t)
+-	fs_list_cifs(httpd_git_script_t)
+-	fs_read_cifs_files(httpd_git_script_t)
++	fs_getattr_cifs(git_script_t)
++	fs_list_cifs(git_script_t)
++	fs_read_cifs_files(git_script_t)
+ ',`
+-	fs_dontaudit_read_cifs_files(httpd_git_script_t)
++	fs_dontaudit_read_cifs_files(git_script_t)
+ ')
+ 
+ tunable_policy(`git_cgi_use_nfs',`
+-	fs_getattr_nfs(httpd_git_script_t)
+-	fs_list_nfs(httpd_git_script_t)
+-	fs_read_nfs_files(httpd_git_script_t)
++	fs_getattr_nfs(git_script_t)
++	fs_list_nfs(git_script_t)
++	fs_read_nfs_files(git_script_t)
+ ',`
+-	fs_dontaudit_read_nfs_files(httpd_git_script_t)
++	fs_dontaudit_read_nfs_files(git_script_t)
+ ')
+ 
+ ########################################
+diff --git a/lightsquid.fc b/lightsquid.fc
+index 044390c..63e2058 100644
+--- a/lightsquid.fc
++++ b/lightsquid.fc
+@@ -1,11 +1,11 @@
+ /etc/cron\.daily/lightsquid	--	gen_context(system_u:object_r:lightsquid_exec_t,s0)
+ 
+-/usr/lib/cgi-bin/lightsquid/.*\.cfg	--	gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+-/usr/lib/cgi-bin/lightsquid/.*\.cgi	--	gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
++/usr/lib/cgi-bin/lightsquid/.*\.cfg	--	gen_context(system_u:object_r:lightsquid_content_t,s0)
++/usr/lib/cgi-bin/lightsquid/.*\.cgi	--	gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
+ 
+-/usr/share/lightsquid/cgi/.*\.cgi	--	gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
++/usr/share/lightsquid/cgi/.*\.cgi	--	gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
+ 
+ /var/lightsquid(/.*)?	gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
+ 
+-/var/www/html/lightsquid(/.*)?	gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+-/var/www/html/lightsquid/report(/.*)?	gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
++/var/www/html/lightsquid(/.*)?	gen_context(system_u:object_r:lightsquid_content_t,s0)
++/var/www/html/lightsquid/report(/.*)?	gen_context(system_u:object_r:lightsquid_report_content_t,s0)
+diff --git a/lightsquid.te b/lightsquid.te
+index 75854ed..6c7855e 100644
+--- a/lightsquid.te
++++ b/lightsquid.te
+@@ -13,18 +13,18 @@ type lightsquid_exec_t;
+ application_domain(lightsquid_t, lightsquid_exec_t)
+ role lightsquid_roles types lightsquid_t;
+ 
+-type lightsquid_rw_content_t;
+-files_type(lightsquid_rw_content_t)
++type lightsquid_report_content_t;
++files_type(lightsquid_report_content_t)
+ 
+ ########################################
+ #
+ # Local policy
+ #
+ 
+-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
++manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
++files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir)
+ 
+ corecmd_exec_bin(lightsquid_t)
+ corecmd_exec_shell(lightsquid_t)
+@@ -36,10 +36,11 @@ squid_read_log(lightsquid_t)
+ 
+ optional_policy(`
+ 	apache_content_template(lightsquid)
++	apache_content_alias_template(lightsquid, lightsquid)
+ 
+-	list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-	read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+-	read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
++	list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
++	read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
++	read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/man2html.fc b/man2html.fc
+index 82f6255..3686732 100644
+--- a/man2html.fc
++++ b/man2html.fc
+@@ -1,5 +1,5 @@
+-/usr/lib/man2html/cgi-bin/man/man2html	--	gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+-/usr/lib/man2html/cgi-bin/man/mansec	--	gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+-/usr/lib/man2html/cgi-bin/man/manwhatis	--	gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/man2html	--	gen_context(system_u:object_r:man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/mansec	--	gen_context(system_u:object_r:man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/manwhatis	--	gen_context(system_u:object_r:man2html_script_exec_t,s0)
+ 
+-/var/cache/man2html(/.*)?	gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
++/var/cache/man2html(/.*)?	gen_context(system_u:object_r:man2html_rw_content_t,s0)
+diff --git a/man2html.if b/man2html.if
+index fe43dea..53eaf61 100644
+--- a/man2html.if
++++ b/man2html.if
+@@ -2,7 +2,7 @@
+ 
+ ########################################
+ ## <summary>
+-##	Transition to httpd_man2html_script.
++##	Transition to man2html_script.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,18 +10,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_domtrans',`
++interface(`man2html_script_domtrans',`
+ 	gen_require(`
+-		type httpd_man2html_script_t, httpd_man2html_script_exec_t;
++		type man2html_script_t, man2html_script_exec_t;
+ 	')
+ 
+ 	corecmd_search_bin($1)
+-	domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
++	domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search httpd_man2html_script cache directories.
++##	Search man2html_script content directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -29,18 +29,19 @@ interface(`httpd_man2html_script_domtrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_search_cache',`
++interface(`man2html_search_content',`
+ 	gen_require(`
+-		type httpd_man2html_script_cache_t;
++		type man2html_content_t;
++		type man2html_rw_content_t;
+ 	')
+ 
+-	allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
++	allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+ 	files_search_var($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read httpd_man2html_script cache files.
++##	Read man2html cache files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -48,19 +49,22 @@ interface(`httpd_man2html_script_search_cache',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_read_cache_files',`
++interface(`man2html_read_content_files',`
+ 	gen_require(`
+-		type httpd_man2html_script_cache_t;
++		type man2html_content_t;
++		type man2html_rw_content_t;
+ 	')
+ 
+ 	files_search_var($1)
+-	read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++	allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
++	read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++	read_files_pattern($1, man2html_content_t, man2html_content_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete
+-##	httpd_man2html_script cache files.
++##	man2html content files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -68,18 +72,21 @@ interface(`httpd_man2html_script_read_cache_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_manage_cache_files',`
++interface(`man2html_manage_content_files',`
+ 	gen_require(`
+-		type httpd_man2html_script_cache_t;
++		type man2html_content_t;
++		type man2html_rw_content_t;
+ 	')
+ 
+ 	files_search_var($1)
+-	manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++	manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++	manage_files_pattern($1, man2html_content_t, man2html_content_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage httpd_man2html_script cache dirs.
++##	Create, read, write, and delete
++##	man2html content dirs.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -87,20 +94,21 @@ interface(`httpd_man2html_script_manage_cache_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_manage_cache_dirs',`
++interface(`man2html_manage_content_dirs',`
+ 	gen_require(`
+-		type httpd_man2html_script_cache_t;
++		type man2html_content_t;
++		type man2html_rw_content_t;
+ 	')
+ 
+ 	files_search_var($1)
+-	manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++	manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
++	manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
+ ')
+ 
+-
+ ########################################
+ ## <summary>
+ ##	All of the rules required to administrate
+-##	an httpd_man2html_script environment
++##	an man2html environment
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -108,17 +116,19 @@ interface(`httpd_man2html_script_manage_cache_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`httpd_man2html_script_admin',`
++interface(`man2html_admin',`
+ 	gen_require(`
+-		type httpd_man2html_script_t;
+-		type httpd_man2html_script_cache_t;
++		type man2html_script_t;
++		type man2html_rw_content_t;
++		type man2html_content_t;
+ 	')
+ 
+-	allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
+-	ps_process_pattern($1, httpd_man2html_script_t)
++	allow $1 man2html_script_t:process { ptrace signal_perms };
++	ps_process_pattern($1, man2html_script_t)
+ 
+ 	files_search_var($1)
+-	admin_pattern($1, httpd_man2html_script_cache_t)
++	admin_pattern($1, man2html_content_t)
++	admin_pattern($1, man2html_rw_content_t)
+ 
+ 	optional_policy(`
+ 		systemd_passwd_agent_exec($1)
+diff --git a/man2html.te b/man2html.te
+index 9e634bd..24b56e9 100644
+--- a/man2html.te
++++ b/man2html.te
+@@ -6,23 +6,17 @@ policy_module(man2html, 1.0.0)
+ #
+ 
+ 
+-type httpd_man2html_script_cache_t;
+-files_type(httpd_man2html_script_cache_t)
+-
+ ########################################
+ #
+-# httpd_man2html_script local policy
++# man2html_script local policy
+ #
+ 
+ optional_policy(`
+-
+ 	apache_content_template(man2html)
++	apache_content_alias_template(man2html, man2html)
+ 
+-	allow httpd_man2html_script_t self:process { fork };
+-
+-	manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+-	manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+-	manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+-	files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
++	allow man2html_script_t self:process fork;
+ 
++	typealias man2html_rw_content_t alias man2html_script_cache_t;
++	files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+ ')
+diff --git a/mediawiki.fc b/mediawiki.fc
+index 99f7c41..93ec6db 100644
+--- a/mediawiki.fc
++++ b/mediawiki.fc
+@@ -1,8 +1,8 @@
+-/usr/lib/mediawiki/math/texvc	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+-/usr/lib/mediawiki/math/texvc_tex	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+-/usr/lib/mediawiki/math/texvc_tes	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tex	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tes	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+ 
+-/usr/share/mediawiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++/usr/share/mediawiki(/.*)?	gen_context(system_u:object_r:mediawiki_content_t,s0)
+ 
+-/var/www/wiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+-/var/www/wiki/.*\.php	--	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++/var/www/wiki(/.*)?	gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
++/var/www/wiki/.*\.php	--	gen_context(system_u:object_r:mediawiki_content_t,s0)
+diff --git a/mediawiki.if b/mediawiki.if
+index 1c1d012..9b183e6 100644
+--- a/mediawiki.if
++++ b/mediawiki.if
+@@ -13,12 +13,12 @@
+ #
+ interface(`mediawiki_read_tmp_files',`
+         gen_require(`
+-                type httpd_mediawiki_tmp_t;
++                type mediawiki_tmp_t;
+         ')
+ 
+         files_search_tmp($1)
+-        read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+-	read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++        read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
++	read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+ ')
+ 
+ #######################################
+@@ -33,8 +33,8 @@ interface(`mediawiki_read_tmp_files',`
+ #
+ interface(`mediawiki_delete_tmp_files',`
+         gen_require(`
+-                type httpd_mediawiki_tmp_t;
++                type mediawiki_tmp_t;
+         ')
+ 
+-        delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++        delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+ ')
+diff --git a/mediawiki.te b/mediawiki.te
+index 212712c..fcbc191 100644
+--- a/mediawiki.te
++++ b/mediawiki.te
+@@ -5,16 +5,26 @@ policy_module(mediawiki, 1.0.0)
+ # Declarations
+ #
+ 
+-optional_policy(`
+-
+-	apache_content_template(mediawiki)
++type mediawiki_tmp_t;
++files_tmp_file(mediawiki_tmp_t)
+ 
+ ########################################
+ #
+ # Local policy
+ #
+ 
+-	files_search_var_lib(httpd_mediawiki_script_t)
++optional_policy(`
++
++	apache_content_template(mediawiki)
++	apache_content_alias_template(mediawiki, mediawiki)
++
++	manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++	manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++	manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++	manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
++	files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file })
++
++	files_search_var_lib(mediawiki_script_t)
+ 
+-	miscfiles_read_tetex_data(httpd_mediawiki_script_t)
++	miscfiles_read_tetex_data(mediawiki_script_t)
+ ')
+diff --git a/mojomojo.fc b/mojomojo.fc
+index 7b827ca..5ee8a0f 100644
+--- a/mojomojo.fc
++++ b/mojomojo.fc
+@@ -1,5 +1,5 @@
+-/usr/bin/mojomojo_fastcgi\.pl	--	gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
++/usr/bin/mojomojo_fastcgi\.pl	--	gen_context(system_u:object_r:mojomojo_script_exec_t,s0)
+ 
+-/usr/share/mojomojo/root(/.*)?	gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
++/usr/share/mojomojo/root(/.*)?	gen_context(system_u:object_r:mojomojo_content_t,s0)
+ 
+-/var/lib/mojomojo(/.*)?	gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
++/var/lib/mojomojo(/.*)?	gen_context(system_u:object_r:mojomojo_rw_content_t,s0)
+diff --git a/mojomojo.te b/mojomojo.te
+index 9556487..25d1d33 100644
+--- a/mojomojo.te
++++ b/mojomojo.te
+@@ -5,8 +5,8 @@ policy_module(mojomojo, 1.1.0)
+ # Declarations
+ #
+ 
+-type httpd_mojomojo_tmp_t;
+-files_tmp_file(httpd_mojomojo_tmp_t)
++type mojomojo_tmp_t alias httpd_mojomojo_tmp_t;
++files_tmp_file(mojomojo_tmp_t)
+ 
+ ########################################
+ #
+@@ -15,31 +15,30 @@ files_tmp_file(httpd_mojomojo_tmp_t)
+ 
+ optional_policy(`
+ 	apache_content_template(mojomojo)
++	apache_content_alias_template(mojomojo, mojomojo)
+ 
+-	allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
++	manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
++	manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
++	files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir })
+ 
+-	manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+-	manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+-	files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
++	corenet_tcp_connect_postgresql_port(mojomojo_script_t)
++	corenet_tcp_connect_mysqld_port(mojomojo_script_t)
++	corenet_tcp_connect_smtp_port(mojomojo_script_t)
++	corenet_sendrecv_postgresql_client_packets(mojomojo_script_t)
++	corenet_sendrecv_mysqld_client_packets(mojomojo_script_t)
++	corenet_sendrecv_smtp_client_packets(mojomojo_script_t)
+ 
+-	corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
+-	corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+-	corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+-	corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+-	corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
+-	corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
++	files_search_var_lib(mojomojo_script_t)
+ 
+-	files_search_var_lib(httpd_mojomojo_script_t)
++	sysnet_dns_name_resolve(mojomojo_script_t)
+ 
+-	sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+-
+-	mta_send_mail(httpd_mojomojo_script_t)
++	mta_send_mail(mojomojo_script_t)
+ 
+ 	optional_policy(`
+-		mysql_stream_connect(httpd_mojomojo_script_t)
++		mysql_stream_connect(mojomojo_script_t)
+ 	')
+ 
+ 	optional_policy(`
+-		postgresql_stream_connect(httpd_mojomojo_script_t)
++		postgresql_stream_connect(mojomojo_script_t)
+ 	')
+ ')
+diff --git a/munin.fc b/munin.fc
+index 4968324..af28bb5 100644
+--- a/munin.fc
++++ b/munin.fc
+@@ -73,7 +73,7 @@
+ /var/lib/munin/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ /var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
+-/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
+-/var/www/html/munin/cgi(/.*)?	gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+-/var/www/html/cgi/munin.*       gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+-/var/www/cgi-bin/munin.*		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/munin(/.*)?		gen_context(system_u:object_r:munin_content_t,s0)
++/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:munin_script_exec_t,s0)
++/var/www/html/cgi/munin.*       	gen_context(system_u:object_r:munin_script_exec_t,s0)
++/var/www/cgi-bin/munin.*		gen_context(system_u:object_r:munin_script_exec_t,s0)
+diff --git a/munin.if b/munin.if
+index 4c1b6a8..900d083 100644
+--- a/munin.if
++++ b/munin.if
+@@ -209,7 +209,7 @@ interface(`munin_admin',`
+ 		attribute munin_plugin_domain, munin_plugin_tmp_content;
+ 		type munin_t, munin_etc_t, munin_tmp_t;
+ 		type munin_log_t, munin_var_lib_t, munin_var_run_t;
+-		type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
++		type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+ 	')
+ 
+ 	allow $1 munin_t:process signal_perms;
+@@ -239,5 +239,5 @@ interface(`munin_admin',`
+ 	files_list_pids($1)
+ 	admin_pattern($1, munin_var_run_t)
+ 
+-	admin_pattern($1, httpd_munin_content_t)
++	admin_pattern($1, munin_content_t)
+ ')
+diff --git a/munin.te b/munin.te
+index cead88c..16b96d0 100644
+--- a/munin.te
++++ b/munin.te
+@@ -44,8 +44,8 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
+ munin_plugin_template(system)
+ munin_plugin_template(unconfined)
+ 
+-type httpd_munin_script_tmp_t;
+-files_tmp_file(httpd_munin_script_tmp_t)
++type munin_script_tmp_t alias httpd_munin_script_tmp_t;
++files_tmp_file(munin_script_tmp_t)
+ 
+ ################################
+ #
+@@ -435,22 +435,23 @@ optional_policy(`
+ #
+ 
+ apache_content_template(munin)
++apache_content_alias_template(munin, munin)
+ 
+-manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+-manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_dirs_pattern(munin_t, munin_content_t, munin_content_t)
++manage_files_pattern(munin_t, munin_content_t, munin_content_t)
+ 
+-manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
+-manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
++manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
++manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
+ 
+-read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
+-read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
++read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
++read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+ 
+-read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
+-append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
++read_files_pattern(munin_script_t, munin_log_t, munin_log_t)
++append_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+ 
+-files_search_var_lib(httpd_munin_script_t)
++files_search_var_lib(munin_script_t)
+ 
+-auth_read_passwd(httpd_munin_script_t)
++auth_read_passwd(munin_script_t)
+ 
+ optional_policy(`
+ 	apache_search_sys_content(munin_t)
+diff --git a/mythtv.fc b/mythtv.fc
+index 3a1c423..d62cf88 100644
+--- a/mythtv.fc
++++ b/mythtv.fc
+@@ -1,9 +1,9 @@
+-/usr/share/mythweb/mythweb\.pl	--	gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++/usr/share/mythweb/mythweb\.pl	--	gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+ 
+ /var/lib/mythtv(/.*)?	gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+ 
+ /var/log/mythtv(/.*)?	gen_context(system_u:object_r:mythtv_var_log_t,s0)
+ 
+-/usr/share/mythtv(/.*)?		gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+-/usr/share/mythweb(/.*)?	gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
++/usr/share/mythtv(/.*)?		gen_context(system_u:object_r:mythtv_content_t,s0)
++/usr/share/mythweb(/.*)?	gen_context(system_u:object_r:mythtv_content_t,s0)
++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+diff --git a/mythtv.if b/mythtv.if
+index 171f666..e2403dd 100644
+--- a/mythtv.if
++++ b/mythtv.if
+@@ -1,9 +1,9 @@
+ 
+-## <summary>policy for httpd_mythtv_script</summary>
++## <summary>policy for mythtv_script</summary>
+ 
+ ########################################
+ ## <summary>
+-##	Execute TEMPLATE in the httpd_mythtv_script domin.
++##	Execute TEMPLATE in the mythtv_script domin.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -11,13 +11,13 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`httpd_mythtv_script_domtrans',`
++interface(`mythtv_script_domtrans',`
+ 	gen_require(`
+-		type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
++		type mythtv_script_t, mythtv_script_exec_t;
+ 	')
+ 
+ 	corecmd_search_bin($1)
+-	domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
++	domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
+ ')
+ 
+ #######################################
+@@ -133,15 +133,15 @@ interface(`mythtv_manage_log',`
+ #
+ interface(`mythtv_admin',`
+ 	gen_require(`
+-		type httpd_mythtv_script_t, mythtv_var_lib_t;
++		type mythtv_script_t, mythtv_var_lib_t;
+ 		type mythtv_var_log_t;
+ 	')
+ 
+-	allow $1 httpd_mythtv_script_t:process signal_perms;
+-	ps_process_pattern($1, httpd_mythtv_script_t)
++	allow $1 mythtv_script_t:process signal_perms;
++	ps_process_pattern($1, mythtv_script_t)
+ 
+ 	tunable_policy(`deny_ptrace',`',`
+-		allow $1 httpd_mythtv_script_t:process ptrace;
++		allow $1 mythtv_script_t:process ptrace;
+ 	')
+ 
+ 	logging_list_logs($1)
+diff --git a/mythtv.te b/mythtv.te
+index 90129ac..7a4910c 100644
+--- a/mythtv.te
++++ b/mythtv.te
+@@ -6,6 +6,7 @@ policy_module(mythtv, 1.0.0)
+ #
+ 
+ apache_content_template(mythtv)
++apache_content_alias_template(mythtv, mythtv)
+ 
+ type mythtv_var_lib_t;
+ files_type(mythtv_var_lib_t)
+@@ -15,27 +16,27 @@ logging_log_file(mythtv_var_log_t)
+ 
+ ########################################
+ #
+-# httpd_mythtv_script local policy
++# mythtv_script local policy
+ #
+ 
+-manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+-manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+-files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
++manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
++files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file })
+ 
+-manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+-manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+-logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
++manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
++logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file )
+ 
+-domain_use_interactive_fds(httpd_mythtv_script_t)
++domain_use_interactive_fds(mythtv_script_t)
+ 
+-files_read_etc_files(httpd_mythtv_script_t)
++files_read_etc_files(mythtv_script_t)
+ 
+-fs_read_nfs_files(httpd_mythtv_script_t)
++fs_read_nfs_files(mythtv_script_t)
+ 
+-miscfiles_read_localization(httpd_mythtv_script_t)
++miscfiles_read_localization(mythtv_script_t)
+ 
+ optional_policy(`
+-	mysql_read_config(httpd_mythtv_script_t)
+-	mysql_stream_connect(httpd_mythtv_script_t)
+-	mysql_tcp_connect(httpd_mythtv_script_t)
++	mysql_read_config(mythtv_script_t)
++	mysql_stream_connect(mythtv_script_t)
++	mysql_tcp_connect(mythtv_script_t)
+ ')
+diff --git a/nagios.fc b/nagios.fc
+index a00cc2d..24a2dec 100644
+--- a/nagios.fc
++++ b/nagios.fc
+@@ -6,8 +6,8 @@
+ /usr/s?bin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
+ /usr/s?bin/nrpe					--	gen_context(system_u:object_r:nrpe_exec_t,s0)
+ 
+-/usr/lib/cgi-bin/netsaint(/.*)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib/nagios/cgi(/.*)?				gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)?			gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)?				gen_context(system_u:object_r:nagios_script_exec_t,s0)
+ 
+ /var/log/nagios(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
+ /var/log/netsaint(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
+@@ -19,8 +19,8 @@
+ ifdef(`distro_debian',`
+ /usr/sbin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
+ ')
+-/usr/lib/cgi-bin/nagios(/.+)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib/nagios/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/nagios(/.+)?			gen_context(system_u:object_r:nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi-bin(/.*)?			gen_context(system_u:object_r:nagios_script_exec_t,s0)
+ 
+ # admin plugins
+ /usr/lib/nagios/plugins/check_file_age	--	gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+diff --git a/nagios.te b/nagios.te
+index f565a0e..1726e88 100644
+--- a/nagios.te
++++ b/nagios.te
+@@ -186,33 +186,34 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	apache_content_template(nagios)
+-	typealias httpd_nagios_script_t alias nagios_cgi_t;
+-	typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
++	apache_content_alias_template(nagios, nagios)
++	typealias nagios_script_t alias nagios_cgi_t;
++	typealias nagios_script_exec_t alias nagios_cgi_exec_t;
+ 
+-	allow httpd_nagios_script_t self:process signal_perms;
++	allow nagios_script_t self:process signal_perms;
+ 
+-	read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+-	read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++	read_files_pattern(nagios_script_t, nagios_t, nagios_t)
++	read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t)
+ 
+-	allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+-	allow httpd_nagios_script_t nagios_etc_t:file read_file_perms;
+-	allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
++	allow nagios_script_t nagios_etc_t:dir list_dir_perms;
++	allow nagios_script_t nagios_etc_t:file read_file_perms;
++	allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
+ 
+-	files_search_spool(httpd_nagios_script_t)
+-	rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
++	files_search_spool(nagios_script_t)
++	rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+ 
+-	allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+-	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+-	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
++	allow nagios_script_t nagios_log_t:dir list_dir_perms;
++	read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
++	read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+ 
+-	kernel_read_system_state(httpd_nagios_script_t)
++	kernel_read_system_state(nagios_script_t)
+ 
+-	domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++	domain_dontaudit_read_all_domains_state(nagios_script_t)
+ 
+-	files_read_etc_runtime_files(httpd_nagios_script_t)
+-	files_read_kernel_symbol_table(httpd_nagios_script_t)
++	files_read_etc_runtime_files(nagios_script_t)
++	files_read_kernel_symbol_table(nagios_script_t)
+ 
+-	logging_send_syslog_msg(httpd_nagios_script_t)
++	logging_send_syslog_msg(nagios_script_t)
+ ')
+ 
+ ########################################
+diff --git a/nut.fc b/nut.fc
+index 41ff159..fac7d7b 100644
+--- a/nut.fc
++++ b/nut.fc
+@@ -11,6 +11,6 @@
+ 
+ /var/run/nut(/.*)?	gen_context(system_u:object_r:nut_var_run_t,s0)
+ 
+-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+diff --git a/nut.te b/nut.te
+index 1701352..249224e 100644
+--- a/nut.te
++++ b/nut.te
+@@ -166,17 +166,18 @@ logging_send_syslog_msg(nut_upsdrvctl_t)
+ 
+ optional_policy(`
+ 	apache_content_template(nutups_cgi)
++	apache_content_alias_template(nutups_cgi,nutups_cgi)
+ 
+-	read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
++	read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+ 
+-	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+-	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+-	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+-	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+-	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+-	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+-	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+-	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
++	corenet_all_recvfrom_netlabel(nutups_cgi_script_t)
++	corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t)
++	corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t)
++	corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t)
++	corenet_tcp_connect_ups_port(nutups_cgi_script_t)
++	corenet_udp_sendrecv_generic_if(nutups_cgi_script_t)
++	corenet_udp_sendrecv_generic_node(nutups_cgi_script_t)
++	corenet_udp_sendrecv_all_ports(nutups_cgi_script_t)
+ 
+-	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
++	sysnet_dns_name_resolve(nutups_cgi_script_t)
+ ')
+diff --git a/openshift.fc b/openshift.fc
+index f2d6119..71ba1bd 100644
+--- a/openshift.fc
++++ b/openshift.fc
+@@ -18,7 +18,7 @@
+ /usr/s?bin/(oo|rhc)-cgroup-read        --    gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+ 
+ /usr/s?bin/(oo|rhc)-restorer           --    gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+-/usr/s?bin/(oo|rhc)-restorer-wrapper.sh    --  gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh    --  gen_context(system_u:object_r:openshift_script_exec_t,s0)
+ /usr/s?bin/oo-admin-ctl-gears	--	gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+ /usr/s?bin/mcollectived			--		gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+ 
+diff --git a/openshift.te b/openshift.te
+index cd25e8e..7965e82 100644
+--- a/openshift.te
++++ b/openshift.te
+@@ -294,13 +294,14 @@ optional_policy(`
+ 	# openshift cgi script policy
+ 	#
+ 	apache_content_template(openshift)
+-	domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++	apache_content_alias_template(openshift, openshift)
++	domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
+ 
+ 	optional_policy(`
+-		dbus_system_bus_client(httpd_openshift_script_t)
++		dbus_system_bus_client(openshift_script_t)
+ 
+ 		optional_policy(`
+-			oddjob_dbus_chat(httpd_openshift_script_t)
++			oddjob_dbus_chat(openshift_script_t)
+ 			oddjob_dontaudit_rw_fifo_file(openshift_domain)
+ 		')
+ 	')
+diff --git a/pki.if b/pki.if
+index b975b85..798efb6 100644
+--- a/pki.if
++++ b/pki.if
+@@ -134,13 +134,6 @@ template(`pki_apache_template',`
+ 
+ 	# need to resolve addresses?
+ 	auth_use_nsswitch($1_t)
+-
+-		#pki_apache_domain_signal(httpd_t)
+-		#pki_apache_domain_signal(httpd_t)
+-		#pki_manage_apache_run(httpd_t)
+-		#pki_manage_apache_config_files(httpd_t)
+-		#pki_manage_apache_log_files(httpd_t)
+-		#pki_manage_apache_lib(httpd_t)
+ ')
+ 
+ #######################################
+diff --git a/pki.te b/pki.te
+index 17f5d18..d656f71 100644
+--- a/pki.te
++++ b/pki.te
+@@ -43,7 +43,6 @@ typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_
+ typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+ typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+ typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
+-# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
+ 
+ 
+ # pki policy types
+@@ -126,10 +125,6 @@ miscfiles_read_hwdata(pki_tomcat_t)
+ userdom_manage_user_tmp_dirs(pki_tomcat_t)
+ userdom_manage_user_tmp_files(pki_tomcat_t)
+ 
+-# forward proxy
+-# need to define ports to fix this
+-#corenet_tcp_connect_pki_tomcat_port(httpd_t)
+-
+ # for crl publishing
+ allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
+ 
+@@ -166,9 +161,6 @@ corenet_tcp_connect_pki_tks_port(pki_tps_t)
+ 
+ files_exec_usr_files(pki_tps_t)
+ 
+-# why do I need to add this?
+-#allow httpd_t httpd_config_t:file execute;
+-
+ ######################################
+ #
+ # ra local policy
+@@ -268,13 +260,8 @@ optional_policy(`
+ 	apache_list_modules(pki_apache_domain)
+ 	apache_read_config(pki_apache_domain)
+ 	apache_exec(pki_apache_domain)
+-    apache_exec_suexec(pki_apache_domain)
++	apache_exec_suexec(pki_apache_domain)
+ 	apache_entrypoint(pki_apache_domain)
+-
+-	# should be started using a script which will execute httpd
+-	# start up httpd in pki_apache_domain mode
+-	#can_exec(pki_apache_domain, httpd_config_t)
+-	#can_exec(pki_apache_domain, httpd_suexec_exec_t)
+ ')
+ 
+ # allow rpm -q in init scripts
+diff --git a/prelude.fc b/prelude.fc
+index 8dbc763..b580f85 100644
+--- a/prelude.fc
++++ b/prelude.fc
+@@ -12,7 +12,7 @@
+ 
+ /usr/sbin/audisp-prelude	--	gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+ 
+-/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
++/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:prewikka_script_exec_t,s0)
+ 
+ /var/lib/prelude-lml(/.*)?	gen_context(system_u:object_r:prelude_var_lib_t,s0)
+ 
+diff --git a/prelude.te b/prelude.te
+index 509fd0a..e1f4f70 100644
+--- a/prelude.te
++++ b/prelude.te
+@@ -265,27 +265,28 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	apache_content_template(prewikka)
++	apache_content_alias_template(prewikka, prewikka)
+ 
+-	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++	can_exec(prewikka_script_t, prewikka_script_exec_t)
+ 
+-	files_search_tmp(httpd_prewikka_script_t)
++	files_search_tmp(prewikka_script_t)
+ 
+-	kernel_read_sysctl(httpd_prewikka_script_t)
+-	kernel_search_network_sysctl(httpd_prewikka_script_t)
++	kernel_read_sysctl(prewikka_script_t)
++	kernel_search_network_sysctl(prewikka_script_t)
+ 
+-	auth_use_nsswitch(httpd_prewikka_script_t)
++	auth_use_nsswitch(prewikka_script_t)
+ 
+-	logging_send_syslog_msg(httpd_prewikka_script_t)
++	logging_send_syslog_msg(prewikka_script_t)
+ 
+-	apache_search_sys_content(httpd_prewikka_script_t)
++	apache_search_sys_content(prewikka_script_t)
+ 
+ 	optional_policy(`
+-		mysql_stream_connect(httpd_prewikka_script_t)
+-		mysql_tcp_connect(httpd_prewikka_script_t)
++		mysql_stream_connect(prewikka_script_t)
++		mysql_tcp_connect(prewikka_script_t)
+ 	')
+ 
+ 	optional_policy(`
+-		postgresql_stream_connect(httpd_prewikka_script_t)
+-		postgresql_tcp_connect(httpd_prewikka_script_t)
++		postgresql_stream_connect(prewikka_script_t)
++		postgresql_tcp_connect(prewikka_script_t)
+ 	')
+ ')
+diff --git a/smokeping.fc b/smokeping.fc
+index 3359819..a231ecb 100644
+--- a/smokeping.fc
++++ b/smokeping.fc
+@@ -2,7 +2,7 @@
+ 
+ /usr/sbin/smokeping	--	gen_context(system_u:object_r:smokeping_exec_t,s0)
+ 
+-/usr/share/smokeping/cgi(/.*)?	gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
++/usr/share/smokeping/cgi(/.*)?	gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0)
+ 
+ /var/lib/smokeping(/.*)?	gen_context(system_u:object_r:smokeping_var_lib_t,s0)
+ 
+diff --git a/smokeping.te b/smokeping.te
+index ebf575f..26b6da1 100644
+--- a/smokeping.te
++++ b/smokeping.te
+@@ -58,19 +58,20 @@ netutils_domtrans_ping(smokeping_t)
+ 
+ optional_policy(`
+ 	apache_content_template(smokeping_cgi)
++	apache_content_alias_template(smokeping_cgi, smokeping_cgi)
+ 
+-	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+-	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++	manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++	manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ 
+-	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
++	getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+ 
+-	files_read_etc_files(httpd_smokeping_cgi_script_t)
+-	files_search_tmp(httpd_smokeping_cgi_script_t)
+-	files_search_var_lib(httpd_smokeping_cgi_script_t)
++	files_read_etc_files(smokeping_cgi_script_t)
++	files_search_tmp(smokeping_cgi_script_t)
++	files_search_var_lib(smokeping_cgi_script_t)
+ 
+-	auth_read_passwd(httpd_smokeping_cgi_script_t)
++	auth_read_passwd(smokeping_cgi_script_t)
+ 
+-	sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
++	sysnet_dns_name_resolve(smokeping_cgi_script_t)
+ 
+-	netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
++	netutils_domtrans_ping(smokeping_cgi_script_t)
+ ')
+diff --git a/squid.fc b/squid.fc
+index ebbec17..5b066d3 100644
+--- a/squid.fc
++++ b/squid.fc
+@@ -2,14 +2,14 @@
+ /etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
+ /etc/lightsquid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
+ 
+-/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
++/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:squid_script_exec_t,s0)
+ 
+ /usr/sbin/lightparser.pl --	gen_context(system_u:object_r:squid_cron_exec_t,s0)
+ 
+ /usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)
+ 
+ /usr/share/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
+-/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0)
+ 
+ /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
+ 
+diff --git a/squid.te b/squid.te
+index 7cb8bec..4ade5f1 100644
+--- a/squid.te
++++ b/squid.te
+@@ -201,24 +201,25 @@ tunable_policy(`squid_use_tproxy',`
+ 
+ optional_policy(`
+ 	apache_content_template(squid)
++	apache_content_alias_template(squid, squid)
+ 
+-	allow httpd_squid_script_t self:tcp_socket create_socket_perms;
++	allow squid_script_t self:tcp_socket create_socket_perms;
+ 
+-	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+-	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+-	corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
+-	corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)
++	corenet_all_recvfrom_unlabeled(squid_script_t)
++	corenet_all_recvfrom_netlabel(squid_script_t)
++	corenet_tcp_sendrecv_generic_if(squid_script_t)
++	corenet_tcp_sendrecv_generic_node(squid_script_t)
+ 
+-	corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)
+-	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+-	corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
++	corenet_sendrecv_http_cache_client_packets(squid_script_t)
++	corenet_tcp_connect_http_cache_port(squid_script_t)
++	corenet_tcp_sendrecv_http_cache_port(squid_script_t)
+ 
+-	corenet_tcp_connect_squid_port(httpd_squid_script_t)
++	corenet_tcp_connect_squid_port(squid_script_t)
+ 
+-	sysnet_dns_name_resolve(httpd_squid_script_t)
++	sysnet_dns_name_resolve(squid_script_t)
+ 
+ 	optional_policy(`
+-		squid_read_config(httpd_squid_script_t)
++		squid_read_config(squid_script_t)
+ 	')
+ ')
+ 
+diff --git a/w3c.fc b/w3c.fc
+index 463c799..227feaf 100644
+--- a/w3c.fc
++++ b/w3c.fc
+@@ -1,4 +1,4 @@
+-/usr/lib/cgi-bin/check	--	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
++/usr/lib/cgi-bin/check	--	gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
+ 
+-/usr/share/w3c-markup-validator(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+-/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
++/usr/share/w3c-markup-validator(/.*)?	gen_context(system_u:object_r:w3c_validator_content_t,s0)
++/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
+diff --git a/w3c.te b/w3c.te
+index b14d6a9..ac1944e 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -6,29 +6,30 @@ policy_module(w3c, 1.1.0)
+ #
+ 
+ apache_content_template(w3c_validator)
++apache_content_alias_template(w3c_validator, w3c_validator)
+ 
+ ########################################
+ #
+ # Local policy
+ #
+ 
+-corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
+-corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t)
++corenet_all_recvfrom_unlabeled(w3c_validator_script_t)
++corenet_all_recvfrom_netlabel(w3c_validator_script_t)
++corenet_tcp_sendrecv_generic_if(w3c_validator_script_t)
++corenet_tcp_sendrecv_generic_node(w3c_validator_script_t)
+ 
+-corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_ftp_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_ftp_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t)
+ 
+-corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_http_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_http_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_http_port(w3c_validator_script_t)
+ 
+-corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t)
+-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
++corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t)
++corenet_tcp_connect_http_cache_port(w3c_validator_script_t)
++corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t)
+ 
+-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
++miscfiles_read_generic_certs(w3c_validator_script_t)
+ 
+-sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
++sysnet_dns_name_resolve(w3c_validator_script_t)
+diff --git a/webalizer.fc b/webalizer.fc
+index 64baf67..76c753b 100644
+--- a/webalizer.fc
++++ b/webalizer.fc
+@@ -6,4 +6,4 @@
+ 
+ /var/lib/webalizer(/.*)?	gen_context(system_u:object_r:webalizer_var_lib_t,s0)
+ 
+-/var/www/usage(/.*)?	gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
++/var/www/usage(/.*)?	gen_context(system_u:object_r:webalizer_rw_content_t,s0)
+diff --git a/webalizer.te b/webalizer.te
+index e0b1983..32cbf8c 100644
+--- a/webalizer.te
++++ b/webalizer.te
+@@ -83,9 +83,8 @@ userdom_dontaudit_search_user_home_content(webalizer_t)
+ optional_policy(`
+ 	apache_read_log(webalizer_t)
+ 	apache_content_template(webalizer)
++	apache_content_alias_template(webalizer, webalizer)
+ 	apache_manage_sys_content(webalizer_t)
+-	manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+-	manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/zoneminder.fc b/zoneminder.fc
+index 8c61505..ceaa219 100644
+--- a/zoneminder.fc
++++ b/zoneminder.fc
+@@ -4,7 +4,7 @@
+ 
+ /usr/lib/systemd/system/zoneminder.* --  gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
+ 
+-/usr/libexec/zoneminder/cgi-bin(/.*)? 	gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
++/usr/libexec/zoneminder/cgi-bin(/.*)? 	gen_context(system_u:object_r:zoneminder_script_exec_t,s0)
+ 
+ /var/lib/zoneminder(/.*)?		gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
+ 
+diff --git a/zoneminder.te b/zoneminder.te
+index add28f7..b66e76d 100644
+--- a/zoneminder.te
++++ b/zoneminder.te
+@@ -164,24 +164,24 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	apache_content_template(zoneminder)
++	apache_content_alias_template(zoneminder, zoneminder)
+ 
+ 	# need more testing
+-	#allow httpd_zoneminder_script_t self:shm create_shm_perms;
++	#allow zoneminder_script_t self:shm create_shm_perms;
+ 
+-	manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++	manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+ 
+-    rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++    rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+ 
+-	zoneminder_stream_connect(httpd_zoneminder_script_t)
++	zoneminder_stream_connect(zoneminder_script_t)
+ 
+-    can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
++    can_exec(zoneminder_t, zoneminder_script_exec_t)
+ 	
+-	files_search_var_lib(httpd_zoneminder_script_t)
++	files_search_var_lib(zoneminder_script_t)
+ 
+-	logging_send_syslog_msg(httpd_zoneminder_script_t)
++	logging_send_syslog_msg(zoneminder_script_t)
+ 
+ 	optional_policy(`
+-	    	mysql_stream_connect(httpd_zoneminder_script_t)
++	    	mysql_stream_connect(zoneminder_script_t)
+ 	')
+-
+ ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5e63791..c91233a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -509,7 +509,7 @@ index 058d908..9d57403 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..6ba0357 100644
+index eb50f07..15c0d4e 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -759,7 +759,7 @@ index eb50f07..6ba0357 100644
  ')
  
  optional_policy(`
-@@ -222,6 +237,16 @@ optional_policy(`
+@@ -222,6 +237,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -767,6 +767,10 @@ index eb50f07..6ba0357 100644
 +')
 +
 +optional_policy(`
++	mcelog_read_log(abrt_t)
++')
++
++optional_policy(`
 +	mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
 +	mozilla_plugin_read_rw_files(abrt_t)
 +')
@@ -776,7 +780,7 @@ index eb50f07..6ba0357 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -233,6 +258,7 @@ optional_policy(`
+@@ -233,6 +262,7 @@ optional_policy(`
  	corecmd_exec_all_executables(abrt_t)
  ')
  
@@ -784,7 +788,7 @@ index eb50f07..6ba0357 100644
  optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -243,6 +269,7 @@ optional_policy(`
+@@ -243,6 +273,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -792,7 +796,7 @@ index eb50f07..6ba0357 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -253,9 +280,17 @@ optional_policy(`
+@@ -253,9 +284,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -811,7 +815,7 @@ index eb50f07..6ba0357 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +301,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +305,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -826,7 +830,7 @@ index eb50f07..6ba0357 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +320,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +324,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -834,7 +838,7 @@ index eb50f07..6ba0357 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +329,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +333,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -855,7 +859,7 @@ index eb50f07..6ba0357 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +350,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +354,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -882,7 +886,7 @@ index eb50f07..6ba0357 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +386,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +390,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -896,7 +900,7 @@ index eb50f07..6ba0357 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +404,11 @@ optional_policy(`
+@@ -343,10 +408,11 @@ optional_policy(`
  
  #######################################
  #
@@ -910,7 +914,7 @@ index eb50f07..6ba0357 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +427,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +431,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -962,7 +966,7 @@ index eb50f07..6ba0357 100644
  
  #######################################
  #
-@@ -404,7 +476,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +480,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -971,7 +975,7 @@ index eb50f07..6ba0357 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -413,16 +485,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +489,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
@@ -1015,7 +1019,7 @@ index eb50f07..6ba0357 100644
  ')
  
  #######################################
-@@ -430,10 +528,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +532,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -21332,10 +21336,12 @@ index aa0ef6e..02bdb68 100644
 +    rhsmcertd_rw_inherited_lock_files(dmidecode_t)
 +')
 diff --git a/dnsmasq.fc b/dnsmasq.fc
-index 23ab808..4a801b5 100644
+index 23ab808..84735a8 100644
 --- a/dnsmasq.fc
 +++ b/dnsmasq.fc
-@@ -2,6 +2,8 @@
+@@ -1,13 +1,16 @@
+ /etc/dnsmasq\.conf	--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
++/etc/dnsmasq\.d(/.*)?		gen_context(system_u:object_r:dnsmasq_etc_t,s0)
  
  /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
  
@@ -21344,8 +21350,16 @@ index 23ab808..4a801b5 100644
  /usr/sbin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
  
  /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ 
+-/var/log/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
++/var/log/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+ 
+-/var/run/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
++/var/run/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+ /var/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..1e8b244 100644
+index 19aa0b8..e34a540 100644
 --- a/dnsmasq.if
 +++ b/dnsmasq.if
 @@ -10,7 +10,6 @@
@@ -21489,7 +21503,7 @@ index 19aa0b8..1e8b244 100644
  	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
  ')
  
-@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',`
  
  ########################################
  ## <summary>
@@ -21545,16 +21559,19 @@ index 19aa0b8..1e8b244 100644
 +#
 +interface(`dnsmasq_filetrans_named_content',`
 +		gen_require(`
++            type dnsmasq_etc_t;
 +			type dnsmasq_var_run_t;
 +	')
 +
 +	files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
 +	files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
 +	virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
++	files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
++	files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
  ')
  
  ########################################
-@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
  interface(`dnsmasq_admin',`
  	gen_require(`
  		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -21575,7 +21592,7 @@ index 19aa0b8..1e8b244 100644
  	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',`
  	files_list_var_lib($1)
  	admin_pattern($1, dnsmasq_lease_t)
  
@@ -37952,6 +37969,36 @@ index e6136fd..f5203f5 100644
  
  ifdef(`distro_debian',`
  	optional_policy(`
+diff --git a/mcelog.if b/mcelog.if
+index f89651e..ea89ab1 100644
+--- a/mcelog.if
++++ b/mcelog.if
+@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
+ 	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+ ')
+ 
++######################################
++## <summary>
++##	Read mcelog logs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mcelog_read_log',`
++	gen_require(`
++		type mcelog_var_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	All of the rules required to
 diff --git a/mcelog.te b/mcelog.te
 index 59b3b3d..064c4fd 100644
 --- a/mcelog.te
@@ -66426,10 +66473,10 @@ index 83eb09e..b48c931 100644
 +')
 +
 diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..1de192b 100644
+index 70ab68b..32dec67 100644
 --- a/quantum.fc
 +++ b/quantum.fc
-@@ -1,10 +1,26 @@
+@@ -1,10 +1,28 @@
 -/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/neutron.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
@@ -66440,6 +66487,8 @@ index 70ab68b..1de192b 100644
 -/usr/bin/quantum-ryu-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
 +/usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-l3-agent       --  gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-lbaas-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
++/usr/bin/neutron-rootwrap	--	gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-linuxbridge-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-openvswitch-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
 +/usr/bin/neutron-ovs-cleanup    --  gen_context(system_u:object_r:neutron_exec_t,s0)
@@ -66779,7 +66828,7 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..d850703 100644
+index 8644d8b..b744b5d 100644
 --- a/quantum.te
 +++ b/quantum.te
 @@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0)
@@ -66906,7 +66955,7 @@ index 8644d8b..d850703 100644
 +logging_send_syslog_msg(neutron_t)
  
 -miscfiles_read_localization(quantum_t)
-+sysnet_domtrans_ifconfig(neutron_t)
++sysnet_exec_ifconfig(neutron_t)
  
 -sysnet_domtrans_ifconfig(quantum_t)
 +optional_policy(`
@@ -92905,7 +92954,7 @@ index facdee8..73549fd 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..007e3ca 100644
+index f03dcf5..d58e3de 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,176 @@
@@ -94330,7 +94379,7 @@ index f03dcf5..007e3ca 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1094,239 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1094,246 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -94655,6 +94704,13 @@ index f03dcf5..007e3ca 100644
 +allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +
++manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
++filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
++
 +term_use_generic_ptys(svirt_qemu_net_t)
 +term_use_ptmx(svirt_qemu_net_t)
 +
@@ -94668,13 +94724,13 @@ index f03dcf5..007e3ca 100644
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 +
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
 +dev_read_urand(svirt_qemu_net_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +files_read_kernel_modules(svirt_qemu_net_t)
 +
 +fs_noxattr_type(svirt_sandbox_file_t)
@@ -94706,7 +94762,7 @@ index f03dcf5..007e3ca 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1346,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -94721,7 +94777,7 @@ index f03dcf5..007e3ca 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,9 +1357,8 @@ optional_policy(`
+@@ -1192,9 +1364,8 @@ optional_policy(`
  
  ########################################
  #
@@ -94732,7 +94788,7 @@ index f03dcf5..007e3ca 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1371,194 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1378,193 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -94928,7 +94984,6 @@ index f03dcf5..007e3ca 100644
 +corenet_udp_bind_all_ports(sandbox_net_domain)
 +corenet_tcp_bind_all_ports(sandbox_net_domain)
 +corenet_tcp_connect_all_ports(sandbox_net_domain)
-+
 diff --git a/vlock.te b/vlock.te
 index 6b72968..de409cc 100644
 --- a/vlock.te
@@ -98508,10 +98563,10 @@ index 3fded1c..5729b83 100644
 -miscfiles_read_localization(zarafa_domain)
 +dev_read_sysfs(zarafa_domain)
 diff --git a/zebra.fc b/zebra.fc
-index 28ee4ca..e1b30b2 100644
+index 28ee4ca..bc37f76 100644
 --- a/zebra.fc
 +++ b/zebra.fc
-@@ -1,21 +1,22 @@
+@@ -1,21 +1,34 @@
 -/etc/quagga(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)
 -/etc/zebra(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)
 -
@@ -98525,18 +98580,30 @@ index 28ee4ca..e1b30b2 100644
 -/etc/rc\.d/init\.d/zebra	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/ripngd --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/zebra --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-+
-+/usr/sbin/bgpd		--	gen_context(system_u:object_r:zebra_exec_t,s0)
-+/usr/sbin/zebra		--	gen_context(system_u:object_r:zebra_exec_t,s0)
-+
-+/etc/quagga(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
-+/etc/zebra(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
++/etc/rc\.d/init\.d/babeld -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/isisd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/babeld.*    --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/bgpd.*      --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/isisd.*     --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ospf6d.*    --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ospfd.*     --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ripd.*      --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/ripngd.*    --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
++/usr/lib/systemd/system/zebra.*     --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
  
 -/usr/sbin/bgpd	--	gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/babeld    --  gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/bgpd		--	gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/isisd     --  gen_context(system_u:object_r:zebra_exec_t,s0)
  /usr/sbin/ospf.*	--	gen_context(system_u:object_r:zebra_exec_t,s0)
 -/usr/sbin/rip.*	--	gen_context(system_u:object_r:zebra_exec_t,s0)
 -/usr/sbin/zebra	--	gen_context(system_u:object_r:zebra_exec_t,s0)
 +/usr/sbin/rip.*		--	gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/zebra		--	gen_context(system_u:object_r:zebra_exec_t,s0)
++
++/etc/quagga(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
++/etc/zebra(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
  
 -/var/log/quagga(/.*)?	gen_context(system_u:object_r:zebra_log_t,s0)
 -/var/log/zebra(/.*)?	gen_context(system_u:object_r:zebra_log_t,s0)
@@ -98548,7 +98615,7 @@ index 28ee4ca..e1b30b2 100644
 -/var/run/quagga(/.*)?	gen_context(system_u:object_r:zebra_var_run_t,s0)
 +/var/run/quagga(/.*)?		gen_context(system_u:object_r:zebra_var_run_t,s0)
 diff --git a/zebra.if b/zebra.if
-index 3416401..ef64e73 100644
+index 3416401..676925c 100644
 --- a/zebra.if
 +++ b/zebra.if
 @@ -1,8 +1,8 @@
@@ -98580,8 +98647,33 @@ index 3416401..ef64e73 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -44,8 +43,8 @@ interface(`zebra_stream_connect',`
+@@ -42,10 +41,33 @@ interface(`zebra_stream_connect',`
+ 	stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
+ ')
  
++#######################################
++## <summary>
++##  Execute zebra services in the zebra domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`zebra_systemctl',`
++    gen_require(`
++        type zebra_t;
++        type zebra_unit_file_t;
++    ')
++
++        systemd_exec_systemctl($1)
++        allow $1 zebra_unit_file_t:file read_file_perms;
++        allow $1 zebra_unit_file_t:service manage_service_perms;
++
++        ps_process_pattern($1, zebra_t)
++')
++
  ########################################
  ## <summary>
 -##	All of the rules required to
@@ -98591,7 +98683,7 @@ index 3416401..ef64e73 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -54,7 +53,7 @@ interface(`zebra_stream_connect',`
+@@ -54,7 +76,7 @@ interface(`zebra_stream_connect',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -98600,7 +98692,7 @@ index 3416401..ef64e73 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
+@@ -62,13 +84,16 @@ interface(`zebra_stream_connect',`
  interface(`zebra_admin',`
  	gen_require(`
  		type zebra_t, zebra_tmp_t, zebra_log_t;
@@ -98612,17 +98704,28 @@ index 3416401..ef64e73 100644
 -	allow $1 zebra_t:process { ptrace signal_perms };
 +	allow $1 zebra_t:process signal_perms;
  	ps_process_pattern($1, zebra_t)
+ 
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 zebra_t:process ptrace;
 +	')
- 
++
  	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
  	domain_system_change_exemption($1)
+ 	role_transition $2 zebra_initrc_exec_t system_r;
+@@ -85,4 +110,8 @@ interface(`zebra_admin',`
+ 
+ 	files_list_pids($1)
+ 	admin_pattern($1, zebra_var_run_t)
++
++    zebra_systemctl($1)
++    admin_pattern($1, zebra_unit_file_t)
++    allow $1 zebra_unit_file_t:service all_service_perms;
+ ')
 diff --git a/zebra.te b/zebra.te
-index 2e80d04..dd1513f 100644
+index 2e80d04..3a76167 100644
 --- a/zebra.te
 +++ b/zebra.te
-@@ -6,19 +6,19 @@ policy_module(zebra, 1.13.0)
+@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
  #
  
  ## <desc>
@@ -98648,7 +98751,14 @@ index 2e80d04..dd1513f 100644
  
  type zebra_initrc_exec_t;
  init_script_file(zebra_initrc_exec_t)
-@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t)
+ 
++type zebra_unit_file_t;
++systemd_unit_file(zebra_unit_file_t)
++
+ type zebra_log_t;
+ logging_log_file(zebra_log_t)
+ 
+@@ -40,26 +43,27 @@ files_pid_file(zebra_var_run_t)
  allow zebra_t self:capability { setgid setuid net_admin net_raw };
  dontaudit zebra_t self:capability sys_tty_config;
  allow zebra_t self:process { signal_perms getcap setcap };
@@ -98676,11 +98786,16 @@ index 2e80d04..dd1513f 100644
  manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
  logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
  
+-allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
+-files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
 +# /tmp/.bgpd is such a bad idea!
- allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
- files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
++manage_sock_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
++manage_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
++files_tmp_filetrans(zebra_t, zebra_tmp_t, { file sock_file })
  
-@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t)
+ manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+ manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+@@ -71,7 +75,6 @@ kernel_read_network_state(zebra_t)
  kernel_read_kernel_sysctls(zebra_t)
  kernel_rw_net_sysctls(zebra_t)
  
@@ -98688,7 +98803,7 @@ index 2e80d04..dd1513f 100644
  corenet_all_recvfrom_netlabel(zebra_t)
  corenet_tcp_sendrecv_generic_if(zebra_t)
  corenet_udp_sendrecv_generic_if(zebra_t)
-@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
+@@ -79,48 +82,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
  corenet_tcp_sendrecv_generic_node(zebra_t)
  corenet_udp_sendrecv_generic_node(zebra_t)
  corenet_raw_sendrecv_generic_node(zebra_t)
@@ -98751,7 +98866,7 @@ index 2e80d04..dd1513f 100644
  	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
  ')
  
-@@ -139,3 +134,7 @@ optional_policy(`
+@@ -139,3 +138,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(zebra_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36ab3f0..19b62e7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,12 +19,13 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-rawhide-base.patch
 patch1: policy-rawhide-contrib.patch
+patch2: policy-rawhide-contrib-apache-content.patch
 Source1: modules-targeted-base.conf 
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@@ -315,6 +316,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch1 -p1
+%patch2 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch -p1
@@ -573,6 +575,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Nov 14 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-3
+- Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh
+
 * Thu Nov 14 2013 Dan Walsh<dwalsh@redhat.com> 3.13.1-2
 - Fix config.tgz to include lxc_contexts and systemd_contexts