diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e55c97c..94e6adf 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5452,7 +5452,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..dab9975 100644
+index b191055..a19d634 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5724,7 +5724,7 @@ index b191055..dab9975 100644
  network_port(puppet, tcp, 8140, s0)
  network_port(pxe, udp,4011,s0)
  network_port(pyzor, udp,24441,s0)
-+network_port(neutron, tcp,9696,s0, tcp,9697,s0)
++network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
  network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(radsec, tcp,2083,s0)
@@ -5770,7 +5770,7 @@ index b191055..dab9975 100644
  network_port(svn, tcp,3690,s0, udp,3690,s0)
  network_port(svrloc, tcp,427,s0, udp,427,s0)
  network_port(swat, tcp,901,s0)
-+network_port(swift, tcp,6200,s0)
++network_port(swift, tcp,6200-6203,s0)
  network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
 -network_port(syslogd, udp,514,s0)
 +network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
@@ -22165,7 +22165,7 @@ index fe0c682..eb9cefe 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..bdb6d0e 100644
+index cc877c7..b4e231c 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
@@ -22673,7 +22673,7 @@ index cc877c7..bdb6d0e 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +517,140 @@ optional_policy(`
+@@ -341,3 +517,147 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -22728,6 +22728,9 @@ index cc877c7..bdb6d0e 100644
 +
 +corecmd_exec_shell(chroot_user_t)
 +
++domain_subj_id_change_exemption(chroot_user_t)
++domain_role_change_exemption(chroot_user_t)
++
 +term_search_ptys(chroot_user_t)
 +term_use_ptmx(chroot_user_t)
 +
@@ -22777,6 +22780,10 @@ index cc877c7..bdb6d0e 100644
 +    ssh_rw_dgram_sockets(chroot_user_t)
 +')
 +
++optional_policy(`
++    unconfined_shell_domtrans(chroot_user_t)
++')
++
 +######################################
 +#
 +# ssh_agent_type common policy local policy
@@ -29913,7 +29920,7 @@ index 79a45f6..89b43aa 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..7c66e96 100644
+index 17eda24..84a3fcf 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -30034,7 +30041,7 @@ index 17eda24..7c66e96 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -108,14 +157,42 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +157,43 @@ allow init_t self:capability ~sys_module;
  
  allow init_t self:fifo_file rw_fifo_file_perms;
  
@@ -30072,6 +30079,7 @@ index 17eda24..7c66e96 100644
 +manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t)
 +files_pid_filetrans(init_t, init_var_run_t, { dir file })
 +allow init_t init_var_run_t:dir mounton;
 +allow init_t init_var_run_t:sock_file relabelto;
@@ -30083,7 +30091,7 @@ index 17eda24..7c66e96 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +202,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +203,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -30097,6 +30105,7 @@ index 17eda24..7c66e96 100644
 +corenet_tcp_bind_all_ports(init_t)
 +corenet_udp_bind_all_ports(init_t)
 +
++dev_create_all_chr_files(init_t)
 +dev_rw_sysfs(init_t)
 +dev_read_urand(init_t)
 +dev_read_raw_memory(init_t)
@@ -30107,7 +30116,7 @@ index 17eda24..7c66e96 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +225,22 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +227,22 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -30130,7 +30139,7 @@ index 17eda24..7c66e96 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +250,53 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +252,53 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -30187,7 +30196,7 @@ index 17eda24..7c66e96 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +305,237 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +307,237 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -30434,7 +30443,7 @@ index 17eda24..7c66e96 100644
  ')
  
  optional_policy(`
-@@ -216,7 +543,31 @@ optional_policy(`
+@@ -216,7 +545,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30466,7 +30475,7 @@ index 17eda24..7c66e96 100644
  ')
  
  ########################################
-@@ -225,9 +576,9 @@ optional_policy(`
+@@ -225,9 +578,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30478,7 +30487,7 @@ index 17eda24..7c66e96 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +609,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +611,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30495,7 +30504,7 @@ index 17eda24..7c66e96 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +634,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +636,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -30538,7 +30547,7 @@ index 17eda24..7c66e96 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +671,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +673,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -30550,7 +30559,7 @@ index 17eda24..7c66e96 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +683,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +685,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -30561,7 +30570,7 @@ index 17eda24..7c66e96 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +694,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +696,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -30571,7 +30580,7 @@ index 17eda24..7c66e96 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +703,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +705,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -30579,7 +30588,7 @@ index 17eda24..7c66e96 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +710,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +712,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30587,7 +30596,7 @@ index 17eda24..7c66e96 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +718,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +720,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -30605,7 +30614,7 @@ index 17eda24..7c66e96 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +736,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +738,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -30619,7 +30628,7 @@ index 17eda24..7c66e96 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +751,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +753,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -30633,7 +30642,7 @@ index 17eda24..7c66e96 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +764,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +766,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -30644,7 +30653,7 @@ index 17eda24..7c66e96 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +777,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +779,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -30652,7 +30661,7 @@ index 17eda24..7c66e96 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +796,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +798,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -30676,7 +30685,7 @@ index 17eda24..7c66e96 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +829,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +831,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -30684,7 +30693,7 @@ index 17eda24..7c66e96 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +863,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +865,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -30695,7 +30704,7 @@ index 17eda24..7c66e96 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +887,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +889,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -30704,7 +30713,7 @@ index 17eda24..7c66e96 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +902,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +904,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -30712,7 +30721,7 @@ index 17eda24..7c66e96 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +923,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +925,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -30720,7 +30729,7 @@ index 17eda24..7c66e96 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +933,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +935,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -30765,7 +30774,7 @@ index 17eda24..7c66e96 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +978,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +980,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -30797,7 +30806,7 @@ index 17eda24..7c66e96 100644
  	')
  ')
  
-@@ -577,6 +1013,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1015,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -30837,7 +30846,7 @@ index 17eda24..7c66e96 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1058,8 @@ optional_policy(`
+@@ -589,6 +1060,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -30846,7 +30855,7 @@ index 17eda24..7c66e96 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1081,7 @@ optional_policy(`
+@@ -610,6 +1083,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -30854,7 +30863,7 @@ index 17eda24..7c66e96 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1098,17 @@ optional_policy(`
+@@ -626,6 +1100,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30872,7 +30881,7 @@ index 17eda24..7c66e96 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1125,13 @@ optional_policy(`
+@@ -642,9 +1127,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -30886,7 +30895,7 @@ index 17eda24..7c66e96 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1144,11 @@ optional_policy(`
+@@ -657,15 +1146,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30904,7 +30913,7 @@ index 17eda24..7c66e96 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1169,15 @@ optional_policy(`
+@@ -686,6 +1171,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30920,7 +30929,7 @@ index 17eda24..7c66e96 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1218,7 @@ optional_policy(`
+@@ -726,6 +1220,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -30928,7 +30937,7 @@ index 17eda24..7c66e96 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1236,13 @@ optional_policy(`
+@@ -743,7 +1238,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30943,7 +30952,7 @@ index 17eda24..7c66e96 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1265,10 @@ optional_policy(`
+@@ -766,6 +1267,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30954,7 +30963,7 @@ index 17eda24..7c66e96 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1278,20 @@ optional_policy(`
+@@ -775,10 +1280,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30975,7 +30984,7 @@ index 17eda24..7c66e96 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1300,10 @@ optional_policy(`
+@@ -787,6 +1302,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30986,7 +30995,7 @@ index 17eda24..7c66e96 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1325,6 @@ optional_policy(`
+@@ -808,8 +1327,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -30995,7 +31004,7 @@ index 17eda24..7c66e96 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1333,10 @@ optional_policy(`
+@@ -818,6 +1335,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31006,7 +31015,7 @@ index 17eda24..7c66e96 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1346,12 @@ optional_policy(`
+@@ -827,10 +1348,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -31019,7 +31028,7 @@ index 17eda24..7c66e96 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1378,60 @@ optional_policy(`
+@@ -857,21 +1380,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31081,7 +31090,7 @@ index 17eda24..7c66e96 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1447,10 @@ optional_policy(`
+@@ -887,6 +1449,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31092,7 +31101,7 @@ index 17eda24..7c66e96 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1461,218 @@ optional_policy(`
+@@ -897,3 +1463,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -47757,7 +47766,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..018d0a6 100644
+index 6e91317..8fc985f 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -47819,16 +47828,18 @@ index 6e91317..018d0a6 100644
  define(`create_fifo_file_perms',`{ getattr create open }')
  define(`rename_fifo_file_perms',`{ getattr rename }')
  define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
  define(`setattr_sock_file_perms',`{ setattr }')
  define(`read_sock_file_perms',`{ getattr open read }')
  define(`write_sock_file_perms',`{ getattr write open append }')
 -define(`rw_sock_file_perms',`{ getattr open read write append }')
+-define(`create_sock_file_perms',`{ getattr create open }')
 +define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
 +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
- define(`create_sock_file_perms',`{ getattr create open }')
++define(`create_sock_file_perms',`{ getattr setattr create open }')
  define(`rename_sock_file_perms',`{ getattr rename }')
  define(`delete_sock_file_perms',`{ getattr unlink }')
+ define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
 @@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
  define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
  define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 78d8b8e..0c4c893 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5037,7 +5037,7 @@ index f6eb485..61f36b6 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..2a768b5 100644
+index 6649962..df59f52 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -6260,7 +6260,7 @@ index 6649962..2a768b5 100644
  ')
  
  optional_policy(`
-@@ -786,35 +944,55 @@ optional_policy(`
+@@ -786,35 +944,59 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6283,6 +6283,10 @@ index 6649962..2a768b5 100644
 -		ldap_tcp_connect(httpd_t)
 -	')
 +optional_policy(`
++    ipa_search_lib(httpd_t)
++')
++
++optional_policy(`
 +	mirrormanager_manage_pid_files(httpd_t)
 +	mirrormanager_read_lib_files(httpd_t)
 +	mirrormanager_read_log(httpd_t)
@@ -6329,7 +6333,7 @@ index 6649962..2a768b5 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1000,18 @@ optional_policy(`
+@@ -822,8 +1004,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6348,7 +6352,7 @@ index 6649962..2a768b5 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1020,7 @@ optional_policy(`
+@@ -832,6 +1024,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6356,7 +6360,7 @@ index 6649962..2a768b5 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1031,40 @@ optional_policy(`
+@@ -842,20 +1035,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6391,19 +6395,19 @@ index 6649962..2a768b5 100644
 -	')
 +optional_policy(`
 +	puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++	pwauth_domtrans(httpd_t)
  ')
  
  optional_policy(`
 -	puppet_read_lib_files(httpd_t)
-+	pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
 +	rpm_dontaudit_read_db(httpd_t)
  ')
  
  optional_policy(`
-@@ -863,19 +1072,35 @@ optional_policy(`
+@@ -863,19 +1076,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6439,7 +6443,7 @@ index 6649962..2a768b5 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -883,65 +1108,189 @@ optional_policy(`
+@@ -883,65 +1112,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6651,7 +6655,7 @@ index 6649962..2a768b5 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1299,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1303,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6806,7 +6810,7 @@ index 6649962..2a768b5 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1383,106 @@ optional_policy(`
+@@ -1083,172 +1387,106 @@ optional_policy(`
  	')
  ')
  
@@ -6826,13 +6830,13 @@ index 6649962..2a768b5 100644
  
 -allow httpd_script_domains self:fifo_file rw_file_perms;
 -allow httpd_script_domains self:unix_stream_socket connectto;
--
++allow httpd_sys_script_t self:process getsched;
+ 
 -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
 -
 -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
- 
+-
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
 -
@@ -6978,10 +6982,10 @@ index 6649962..2a768b5 100644
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
+-
+-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 +corenet_all_recvfrom_netlabel(httpd_sys_script_t)
  
--allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
--
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 -allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
 -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
@@ -7043,7 +7047,7 @@ index 6649962..2a768b5 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1490,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1494,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7140,7 +7144,7 @@ index 6649962..2a768b5 100644
  
  ########################################
  #
-@@ -1321,8 +1565,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1569,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7157,7 +7161,7 @@ index 6649962..2a768b5 100644
  ')
  
  ########################################
-@@ -1330,49 +1581,38 @@ optional_policy(`
+@@ -1330,49 +1585,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7222,7 +7226,7 @@ index 6649962..2a768b5 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1622,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1626,101 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -12207,6 +12211,264 @@ index e5b621c..e7c249d 100644
 -optional_policy(`
 -	mta_send_mail(chronyd_t)
 -')
+diff --git a/cinder.fc b/cinder.fc
+new file mode 100644
+index 0000000..4b318b7
+--- /dev/null
++++ b/cinder.fc
+@@ -0,0 +1,16 @@
++
++/usr/bin/cinder-api             --  gen_context(system_u:object_r:cinder_api_exec_t,s0)
++/usr/bin/cinder-backup          --  gen_context(system_u:object_r:cinder_backup_exec_t,s0)     
++/usr/bin/cinder-scheduler       --  gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
++/usr/bin/cinder-volume          --  gen_context(system_u:object_r:cinder_volume_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-cinder-api.*		--	gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-backup.*	--	gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-scheduler.*	--	gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-cinder-volume.*		--	gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
++
++/var/lib/cinder(/.*)?     gen_context(system_u:object_r:cinder_var_lib_t,s0)
++
++/var/log/cinder(/.*)?     gen_context(system_u:object_r:cinder_log_t,s0)
++
++/var/run/cinder(/.*)?     gen_context(system_u:object_r:cinder_var_run_t,s0)
+diff --git a/cinder.if b/cinder.if
+new file mode 100644
+index 0000000..fc9cae7
+--- /dev/null
++++ b/cinder.if
+@@ -0,0 +1,57 @@
++## <summary>openstack-cinder</summary>
++
++######################################
++## <summary>
++##  Manage cinder lib files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`cinder_manage_lib_files',`
++    gen_require(`
++                type cinder_var_lib_t;
++                                ')
++
++    files_search_var_lib($1)
++    manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
++')
++
++#######################################
++## <summary>
++##  Creates types and rules for a basic
++##  openstack-cinder systemd daemon domain.
++## </summary>
++## <param name="prefix">
++##  <summary>
++##  Prefix for the domain.
++##  </summary>
++## </param>
++#
++template(`cinder_domain_template',`
++	gen_require(`
++		attribute cinder_domain;
++	')
++
++	type cinder_$1_t, cinder_domain;
++	type cinder_$1_exec_t;
++	init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
++
++	type cinder_$1_unit_file_t;
++	systemd_unit_file(cinder_$1_unit_file_t)
++
++	type cinder_$1_tmp_t;
++	files_tmp_file(cinder_$1_tmp_t)
++
++	manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
++	manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
++	files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
++	can_exec(cinder_$1_t, cinder_$1_tmp_t)
++
++	kernel_read_system_state(cinder_$1_t)
++
++    logging_send_syslog_msg(cinder_$1_t)
++
++')
+diff --git a/cinder.te b/cinder.te
+new file mode 100644
+index 0000000..f257547
+--- /dev/null
++++ b/cinder.te
+@@ -0,0 +1,167 @@
++policy_module(cinder, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++#
++# cinder-stack daemons contain security issue with using sudo in the code
++# we make this policy as unconfined until this issue is fixed
++#
++
++attribute cinder_domain;
++
++cinder_domain_template(api)
++cinder_domain_template(backup)
++cinder_domain_template(scheduler)
++cinder_domain_template(volume)
++
++type cinder_log_t;
++logging_log_file(cinder_log_t)
++
++type cinder_var_lib_t;
++files_type(cinder_var_lib_t)
++
++type cinder_var_run_t;
++files_pid_file(cinder_var_run_t)
++
++######################################
++#
++# cinder general domain local policy
++#
++
++allow cinder_domain self:process signal_perms;
++allow cinder_domain self:fifo_file rw_fifo_file_perms;
++allow cinder_domain self:tcp_socket create_stream_socket_perms;
++allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
++manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
++
++manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
++manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
++
++manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
++manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
++
++corenet_tcp_connect_amqp_port(cinder_domain)
++corenet_tcp_connect_mysqld_port(cinder_domain)
++
++kernel_read_network_state(cinder_domain)
++
++corecmd_exec_bin(cinder_domain)
++corecmd_exec_shell(cinder_domain)
++corenet_tcp_connect_mysqld_port(cinder_domain)
++
++auth_read_passwd(cinder_domain)
++
++dev_read_sysfs(cinder_domain)
++dev_read_urand(cinder_domain)
++
++fs_getattr_xattr_fs(cinder_domain)
++
++init_read_utmp(cinder_domain)
++
++libs_exec_ldconfig(cinder_domain)
++
++optional_policy(`
++    mysql_stream_connect(cinder_domain)
++    mysql_read_db_lnk_files(cinder_domain)
++')
++
++optional_policy(`
++	sysnet_read_config(cinder_domain)
++	sysnet_exec_ifconfig(cinder_domain)
++')
++
++#######################################
++#
++# cinder api local policy
++#
++
++allow cinder_api_t self:process setfscreate;
++allow cinder_api_t self:key write;
++allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
++allow cinder_api_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(cinder_api_t)
++
++corenet_tcp_bind_generic_node(cinder_api_t)
++corenet_udp_bind_generic_node(cinder_api_t)
++# should be add to booleans
++corenet_tcp_connect_all_ports(cinder_api_t)
++corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
++
++auth_read_passwd(cinder_api_t)
++
++logging_send_syslog_msg(cinder_api_t)
++
++miscfiles_read_certs(cinder_api_t)
++
++optional_policy(`
++	iptables_domtrans(cinder_api_t)
++')
++
++optional_policy(`
++	ssh_exec_keygen(cinder_api_t)
++')
++
++optional_policy(`
++    gnome_dontaudit_search_config(cinder_api_t)
++')
++
++optional_policy(`
++	unconfined_domain(cinder_api_t)
++')
++
++#######################################
++#
++# cinder backup local policy
++#
++
++allow cinder_backup_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(cinder_backup_t)
++
++optional_policy(`
++    unconfined_domain(cinder_backup_t)
++')
++
++#######################################
++#
++# cinder scheduler local policy
++#
++
++allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
++allow cinder_scheduler_t self:udp_socket create_socket_perms;
++
++auth_read_passwd(cinder_scheduler_t)
++
++init_read_utmp(cinder_scheduler_t)
++
++optional_policy(`
++    unconfined_domain(cinder_scheduler_t)
++')
++
++#######################################
++#
++# cinder volume local policy
++#
++
++allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow cinder_volume_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(cinder_volume_t)
++
++logging_send_syslog_msg(cinder_volume_t)
++
++optional_policy(`
++	lvm_domtrans(cinder_volume_t)
++')
++
++optional_policy(`
++    unconfined_domain(cinder_volume_t)
++')
++
 diff --git a/cipe.te b/cipe.te
 index a0aa693..af571ed 100644
 --- a/cipe.te
@@ -13768,7 +14030,7 @@ index 954309e..f4db2ca 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..36c3464 100644
+index 6471fa8..e6d320a 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
@@ -13801,7 +14063,7 @@ index 6471fa8..36c3464 100644
  
  manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
  manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +56,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +56,29 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
  manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
  files_pid_filetrans(collectd_t, collectd_var_run_t, file)
  
@@ -13831,13 +14093,14 @@ index 6471fa8..36c3464 100644
 -files_read_usr_files(collectd_t)
  
  fs_getattr_all_fs(collectd_t)
++fs_getattr_all_dirs(collectd_t)
  
 -miscfiles_read_localization(collectd_t)
 +init_read_utmp(collectd_t)
  
  logging_send_syslog_msg(collectd_t)
  
-@@ -75,16 +90,31 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +91,31 @@ tunable_policy(`collectd_tcp_network_connect',`
  ')
  
  optional_policy(`
@@ -29074,11 +29337,31 @@ index 582db0a..d77a1a5 100644
  sysnet_read_config(gitosis_t)
  
  tunable_policy(`gitosis_can_sendmail',`
+diff --git a/glance.fc b/glance.fc
+index c21a528..a746a2b 100644
+--- a/glance.fc
++++ b/glance.fc
+@@ -1,8 +1,14 @@
+ /etc/rc\.d/init\.d/openstack-glance-api	--	gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/openstack-glance-registry	--	gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/openstack-glance-scrubber	--	gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
+ 
+-/usr/bin/glance-api	--	gen_context(system_u:object_r:glance_api_exec_t,s0)
++/usr/lib/systemd/system/openstack-glance-api.*              --  gen_context(system_u:object_r:glance_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-glance-registry.*         --  gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-glance-scrubber.*         --  gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
++
++/usr/bin/glance-api	        --	gen_context(system_u:object_r:glance_api_exec_t,s0)
+ /usr/bin/glance-registry	--	gen_context(system_u:object_r:glance_registry_exec_t,s0)
++/usr/bin/glance-scrubber    --  gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
+ 
+ /var/lib/glance(/.*)?	gen_context(system_u:object_r:glance_var_lib_t,s0)
+ 
 diff --git a/glance.if b/glance.if
-index 9eacb2c..229782f 100644
+index 9eacb2c..2f3fa34 100644
 --- a/glance.if
 +++ b/glance.if
-@@ -1,5 +1,30 @@
+@@ -1,5 +1,36 @@
  ## <summary>OpenStack image registry and delivery service.</summary>
  
 +#######################################
@@ -29100,16 +29383,22 @@ index 9eacb2c..229782f 100644
 +	type $1_t, glance_domain;
 +	type $1_exec_t;
 +
++    type $1_unit_file_t;
++    systemd_unit_file($1_unit_file_t)
++
 +	kernel_read_system_state($1_t)
 +
 +	corenet_all_recvfrom_unlabeled($1_t)
 +	corenet_all_recvfrom_netlabel($1_t)
++
++    logging_send_syslog_msg($1_t)
++
 +')
 +
  ########################################
  ## <summary>
  ##	Execute a domain transition to
-@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',`
+@@ -26,9 +57,9 @@ interface(`glance_domtrans_registry',`
  ##	run glance api.
  ## </summary>
  ## <param name="domain">
@@ -29121,7 +29410,7 @@ index 9eacb2c..229782f 100644
  ## </param>
  #
  interface(`glance_domtrans_api',`
-@@ -242,8 +267,13 @@ interface(`glance_admin',`
+@@ -242,8 +273,13 @@ interface(`glance_admin',`
  		type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
  	')
  
@@ -29138,7 +29427,7 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index 5cd0909..1464b4d 100644
+index 5cd0909..f07f415 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -5,10 +5,16 @@ policy_module(glance, 1.1.0)
@@ -29160,7 +29449,7 @@ index 5cd0909..1464b4d 100644
  init_daemon_domain(glance_registry_t, glance_registry_exec_t)
  
  type glance_registry_initrc_exec_t;
-@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t)
+@@ -17,13 +23,21 @@ init_script_file(glance_registry_initrc_exec_t)
  type glance_registry_tmp_t;
  files_tmp_file(glance_registry_tmp_t)
  
@@ -29173,7 +29462,18 @@ index 5cd0909..1464b4d 100644
  init_daemon_domain(glance_api_t, glance_api_exec_t)
  
  type glance_api_initrc_exec_t;
-@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t)
+ init_script_file(glance_api_initrc_exec_t)
+ 
++glance_basic_types_template(glance_scrubber)
++init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
++
++type glance_scrubber_initrc_exec_t;
++init_script_file(glance_scrubber_initrc_exec_t)
++
+ type glance_log_t;
+ logging_log_file(glance_log_t)
+ 
+@@ -41,6 +55,7 @@ files_pid_file(glance_var_run_t)
  # Common local policy
  #
  
@@ -29181,7 +29481,7 @@ index 5cd0909..1464b4d 100644
  allow glance_domain self:fifo_file rw_fifo_file_perms;
  allow glance_domain self:unix_stream_socket create_stream_socket_perms;
  allow glance_domain self:tcp_socket { accept listen };
-@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +71,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
  manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  
@@ -29228,7 +29528,7 @@ index 5cd0909..1464b4d 100644
  ########################################
  #
  # Registry local policy
-@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +112,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
  manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
  files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
  
@@ -29243,7 +29543,7 @@ index 5cd0909..1464b4d 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +138,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
@@ -29453,10 +29753,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..c63f92f
+index 0000000..fbc6a67
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,201 @@
 +policy_module(glusterfs, 1.1.2)
 +
 +## <desc>
@@ -29598,6 +29898,7 @@ index 0000000..c63f92f
 +corenet_sendrecv_all_client_packets(glusterd_t)
 +corenet_tcp_bind_all_unreserved_ports(glusterd_t)
 +corenet_tcp_connect_all_unreserved_ports(glusterd_t)
++corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
 +corenet_tcp_connect_ssh_port(glusterd_t)
 +
 +dev_read_sysfs(glusterd_t)
@@ -34595,10 +34896,10 @@ index 0000000..48d7322
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..a2af18e
+index 0000000..123e906
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,94 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@@ -34647,6 +34948,24 @@ index 0000000..a2af18e
 +##	</summary>
 +## </param>
 +#
++interface(`ipa_search_lib',`
++	gen_require(`
++		type ipa_var_lib_t;
++	')
++
++    search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`ipa_manage_lib',`
 +	gen_require(`
 +		type ipa_var_lib_t;
@@ -53359,16 +53678,17 @@ index 3a6b035..b9887c1 100644
  sysnet_read_config(ypxfr_t)
 diff --git a/nova.fc b/nova.fc
 new file mode 100644
-index 0000000..02dc6dc
+index 0000000..d6de5b6
 --- /dev/null
 +++ b/nova.fc
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
 +
 +/usr/bin/nova-ajax-console-proxy	--	gen_context(system_u:object_r:nova_ajax_exec_t,s0)
 +/usr/bin/nova-console.*		--	gen_context(system_u:object_r:nova_console_exec_t,s0)
 +/usr/bin/nova-direct-api	--  gen_context(system_u:object_r:nova_direct_exec_t,s0)
 +/usr/bin/nova-api			--  gen_context(system_u:object_r:nova_api_exec_t,s0)
 +/usr/bin/nova-cert           --  gen_context(system_u:object_r:nova_cert_exec_t,s0)
++/usr/bin/nova-conductor     --  gen_context(system_u:object_r:nova_conductor_exec_t,s0)
 +/usr//bin/nova-api-metadata	--	gen_context(system_u:object_r:nova_api_exec_t,s0)
 +/usr/bin/nova-network       --  gen_context(system_u:object_r:nova_network_exec_t,s0)
 +/usr/bin/nova-objectstore       --  gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
@@ -53460,10 +53780,10 @@ index 0000000..28936b4
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..87072c4
+index 0000000..271f4b6
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,318 @@
+@@ -0,0 +1,328 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -53482,6 +53802,7 @@ index 0000000..87072c4
 +nova_domain_template(ajax)
 +nova_domain_template(api)
 +nova_domain_template(cert)
++nova_domain_template(conductor)
 +nova_domain_template(compute)
 +nova_domain_template(console)
 +nova_domain_template(direct)
@@ -53627,6 +53948,15 @@ index 0000000..87072c4
 +
 +#######################################
 +#
++# nova conductor local policy
++#
++
++optional_policy(`
++    unconfined_domain(nova_conductor_t)
++')
++
++#######################################
++#
 +# nova compute local policy
 +#
 +
@@ -73678,10 +74008,10 @@ index 70ab68b..2a8e41b 100644
 +/var/log/neutron(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
 +/var/log/quantum(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
 diff --git a/quantum.if b/quantum.if
-index afc0068..3105104 100644
+index afc0068..97bbea4 100644
 --- a/quantum.if
 +++ b/quantum.if
-@@ -2,41 +2,293 @@
+@@ -2,41 +2,294 @@
  
  ########################################
  ## <summary>
@@ -73867,6 +74197,7 @@ index afc0068..3105104 100644
 -	allow $2 system_r;
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
++    manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
 +')
 +
 +########################################
@@ -73993,37 +74324,45 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..ddc4c31 100644
+index 8644d8b..543bfbc 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -5,92 +5,146 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,165 @@ policy_module(quantum, 1.1.0)
  # Declarations
  #
  
 -type quantum_t;
 -type quantum_exec_t;
 -init_daemon_domain(quantum_t, quantum_exec_t)
-+type neutron_t alias quantum_t;
-+type neutron_exec_t alias quantum_exec_t;
-+init_daemon_domain(neutron_t, neutron_exec_t)
++## <desc>
++##  <p>
++##	Determine whether neutron can
++##	connect to all TCP ports
++##	</p>
++## </desc>
++gen_tunable(neutron_can_network, false)
  
 -type quantum_initrc_exec_t;
 -init_script_file(quantum_initrc_exec_t)
-+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
-+init_script_file(neutron_initrc_exec_t)
++type neutron_t alias quantum_t;
++type neutron_exec_t alias quantum_exec_t;
++init_daemon_domain(neutron_t, neutron_exec_t)
  
 -type quantum_log_t;
 -logging_log_file(quantum_log_t)
-+type neutron_log_t alias quantum_log_t;
-+logging_log_file(neutron_log_t)
++type neutron_initrc_exec_t alias quantum_initrc_exec_t;
++init_script_file(neutron_initrc_exec_t)
  
 -type quantum_tmp_t;
 -files_tmp_file(quantum_tmp_t)
-+type neutron_tmp_t alias quantum_tmp_t;
-+files_tmp_file(neutron_tmp_t)
++type neutron_log_t alias quantum_log_t;
++logging_log_file(neutron_log_t)
  
 -type quantum_var_lib_t;
 -files_type(quantum_var_lib_t)
++type neutron_tmp_t alias quantum_tmp_t;
++files_tmp_file(neutron_tmp_t)
++
 +type neutron_var_lib_t alias quantum_var_lib_t;
 +files_type(neutron_var_lib_t)
 +
@@ -74041,6 +74380,41 @@ index 8644d8b..ddc4c31 100644
 -allow quantum_t self:key manage_key_perms;
 -allow quantum_t self:tcp_socket { accept listen };
 -allow quantum_t self:unix_stream_socket { accept listen };
+-
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+-
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+-
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+-
+-can_exec(quantum_t, quantum_tmp_t)
+-
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
+-
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
+-
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
+-
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
+-
+-files_read_usr_files(quantum_t)
+-
+-auth_use_nsswitch(quantum_t)
 +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
 +allow neutron_t self:capability2 block_suspend;
 +allow neutron_t self:process { setsched setrlimit setcap signal_perms };
@@ -74058,141 +74432,127 @@ index 8644d8b..ddc4c31 100644
 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +logging_log_filetrans(neutron_t, neutron_log_t, dir)
- 
--manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
--append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--logging_log_filetrans(quantum_t, quantum_log_t, dir)
++
 +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
- 
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++
 +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
- 
--manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
++
 +can_exec(neutron_t, neutron_tmp_t)
- 
--can_exec(quantum_t, quantum_tmp_t)
++
 +kernel_rw_kernel_sysctl(neutron_t)
 +kernel_rw_net_sysctls(neutron_t)
 +kernel_read_system_state(neutron_t)
 +kernel_read_network_state(neutron_t)
 +kernel_request_load_module(neutron_t)
- 
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
++
 +corecmd_exec_shell(neutron_t)
 +corecmd_exec_bin(neutron_t)
- 
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
++
 +corenet_all_recvfrom_unlabeled(neutron_t)
 +corenet_all_recvfrom_netlabel(neutron_t)
 +corenet_tcp_sendrecv_generic_if(neutron_t)
 +corenet_tcp_sendrecv_generic_node(neutron_t)
 +corenet_tcp_sendrecv_all_ports(neutron_t)
 +corenet_tcp_bind_generic_node(neutron_t)
- 
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
++
 +corenet_tcp_bind_neutron_port(neutron_t)
++corenet_tcp_connect_neutron_port(neutron_t)
 +corenet_tcp_connect_keystone_port(neutron_t)
 +corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
 +corenet_tcp_connect_osapi_compute_port(neutron_t)
- 
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
++
 +domain_read_all_domains_state(neutron_t)
 +domain_named_filetrans(neutron_t)
- 
--files_read_usr_files(quantum_t)
++
 +dev_read_sysfs(neutron_t)
 +dev_read_urand(neutron_t)
 +dev_mounton_sysfs(neutron_t)
 +dev_mount_sysfs_fs(neutron_t)
 +dev_unmount_sysfs_fs(neutron_t)
- 
--auth_use_nsswitch(quantum_t)
++
 +files_mounton_non_security(neutron_t)
- 
--libs_exec_ldconfig(quantum_t)
++
 +auth_use_nsswitch(neutron_t)
- 
--logging_send_audit_msgs(quantum_t)
--logging_send_syslog_msg(quantum_t)
++
 +libs_exec_ldconfig(neutron_t)
- 
--miscfiles_read_localization(quantum_t)
++
 +logging_send_audit_msgs(neutron_t)
 +logging_send_syslog_msg(neutron_t)
- 
--sysnet_domtrans_ifconfig(quantum_t)
++
 +netutils_exec(neutron_t)
 +
 +# need to stay in neutron
 +sysnet_exec_ifconfig(neutron_t)
 +sysnet_manage_ifconfig_run(neutron_t)
 +sysnet_filetrans_named_content_ifconfig(neutron_t)
++
++tunable_policy(`neutron_can_network',`
++	corenet_sendrecv_all_client_packets(neutron_t)
++	corenet_tcp_connect_all_ports(neutron_t)
++	corenet_tcp_sendrecv_all_ports(neutron_t)
++')
  
- optional_policy(`
--	brctl_domtrans(quantum_t)
+-libs_exec_ldconfig(quantum_t)
++optional_policy(`
 +	brctl_domtrans(neutron_t)
- ')
++')
  
- optional_policy(`
--	mysql_stream_connect(quantum_t)
--	mysql_read_config(quantum_t)
+-logging_send_audit_msgs(quantum_t)
+-logging_send_syslog_msg(quantum_t)
++optional_policy(`
 +    dnsmasq_domtrans(neutron_t)
 +    dnsmasq_signal(neutron_t)
 +    dnsmasq_read_state(neutron_t)
 +')
  
--	mysql_tcp_connect(quantum_t)
+-miscfiles_read_localization(quantum_t)
++optional_policy(`
++    rhcs_domtrans_haproxy(neutron_t)
++')
+ 
+-sysnet_domtrans_ifconfig(quantum_t)
 +optional_policy(`
 +    iptables_domtrans(neutron_t)
- ')
++')
  
  optional_policy(`
--	postgresql_stream_connect(quantum_t)
--	postgresql_unpriv_client(quantum_t)
+-	brctl_domtrans(quantum_t)
 +    modutils_domtrans_insmod(neutron_t)
-+')
+ ')
  
--	postgresql_tcp_connect(quantum_t)
-+optional_policy(`
+ optional_policy(`
+-	mysql_stream_connect(quantum_t)
+-	mysql_read_config(quantum_t)
 +	mysql_stream_connect(neutron_t)
 +    mysql_read_db_lnk_files(neutron_t)
 +	mysql_read_config(neutron_t)
 +	mysql_tcp_connect(neutron_t)
- ')
-+
++')
+ 
+-	mysql_tcp_connect(quantum_t)
 +optional_policy(`
 +	postgresql_stream_connect(neutron_t)
 +	postgresql_unpriv_client(neutron_t)
 +	postgresql_tcp_connect(neutron_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	postgresql_stream_connect(quantum_t)
+-	postgresql_unpriv_client(quantum_t)
 +    openvswitch_domtrans(neutron_t)
 +    openvswitch_stream_connect(neutron_t)
 +')
-+
+ 
+-	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
 +	sudo_exec(neutron_t)
-+')
+ ')
 +
 +optional_policy(`
 +    udev_domtrans(neutron_t)
@@ -74789,18 +75149,20 @@ index dc3b0ed..20f9ced 100644
  
 -miscfiles_read_localization(rabbitmq_epmd_t)
 diff --git a/radius.fc b/radius.fc
-index d447e85..008ee02 100644
+index d447e85..76ed794 100644
 --- a/radius.fc
 +++ b/radius.fc
-@@ -9,6 +9,8 @@
+@@ -9,7 +9,9 @@
  /usr/sbin/radiusd	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
  /usr/sbin/freeradius	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
  
+-/var/lib/radiousd(/.*)?	gen_context(system_u:object_r:radiusd_var_lib_t,s0)
 +/usr/lib/systemd/system/radiusd.* --  gen_context(system_u:object_r:radiusd_unit_file_t,s0)
 +
- /var/lib/radiousd(/.*)?	gen_context(system_u:object_r:radiusd_var_lib_t,s0)
++/var/lib/radiusd(/.*)?	gen_context(system_u:object_r:radiusd_var_lib_t,s0)
  
  /var/log/freeradius(/.*)?	gen_context(system_u:object_r:radiusd_log_t,s0)
+ /var/log/radacct(/.*)?	gen_context(system_u:object_r:radiusd_log_t,s0)
 diff --git a/radius.if b/radius.if
 index 4460582..60cf556 100644
 --- a/radius.if
@@ -77737,7 +78099,7 @@ index 47de2d6..5ad36aa 100644
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..1337d42 100644
+index c8bdea2..abc53b9 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -77912,8 +78274,29 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -221,10 +212,28 @@ interface(`rhcs_stream_connect_fenced',`
+ 	stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
+ ')
  
++######################################
++## <summary>
++##	Execute a domain transition to run fenced.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`rhcs_domtrans_haproxy',`
++	gen_require(`
++		type haproxy_t, haproxy_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, haproxy_exec_t, haproxy_t)
++')
++
  #####################################
  ## <summary>
 -##	Execute a domain transition
@@ -77922,7 +78305,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+@@ -243,7 +252,7 @@ interface(`rhcs_domtrans_gfs_controld',`
  
  ####################################
  ## <summary>
@@ -77931,7 +78314,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+@@ -264,7 +273,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
  
  ########################################
  ## <summary>
@@ -77940,7 +78323,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -285,8 +294,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
  
  #####################################
  ## <summary>
@@ -77950,7 +78333,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',`
+@@ -324,8 +332,8 @@ interface(`rhcs_domtrans_groupd',`
  
  #####################################
  ## <summary>
@@ -77961,7 +78344,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +350,51 @@ interface(`rhcs_stream_connect_groupd',`
  	stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
  ')
  
@@ -78015,7 +78398,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',`
+@@ -366,8 +415,7 @@ interface(`rhcs_rw_cluster_shm',`
  
  ####################################
  ## <summary>
@@ -78025,7 +78408,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -383,9 +431,10 @@ interface(`rhcs_rw_cluster_semaphores',`
  	allow $1 cluster_domain:sem { rw_sem_perms destroy };
  ')
  
@@ -78038,7 +78421,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -393,20 +423,44 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +442,44 @@ interface(`rhcs_rw_cluster_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -78089,7 +78472,7 @@ index c8bdea2..1337d42 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -414,15 +468,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+@@ -414,15 +487,12 @@ interface(`rhcs_rw_groupd_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -78108,7 +78491,7 @@ index c8bdea2..1337d42 100644
  ')
  
  ######################################
-@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +516,361 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -78159,11 +78542,7 @@ index c8bdea2..1337d42 100644
 +	files_search_var_lib($1)
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
- 
--	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
--	domain_system_change_exemption($1)
--	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
--	allow $2 system_r;
++
 +#####################################
 +## <summary>
 +##  Allow domain to manage cluster lib files
@@ -78178,15 +78557,15 @@ index c8bdea2..1337d42 100644
 +    gen_require(`
 +        type cluster_var_lib_t;
 +    ')
- 
--	files_search_pids($1)
--	admin_pattern($1, cluster_pid)
++
 +    files_search_var_lib($1)
 +    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	files_search_locks($1)
--	admin_pattern($1, fenced_lock_t)
+-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+-	domain_system_change_exemption($1)
+-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+-	allow $2 system_r;
 +####################################
 +## <summary>
 +##  Allow domain to relabel cluster lib files
@@ -78207,8 +78586,8 @@ index c8bdea2..1337d42 100644
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	files_search_tmp($1)
--	admin_pattern($1, fenced_tmp_t)
+-	files_search_pids($1)
+-	admin_pattern($1, cluster_pid)
 +######################################
 +## <summary>
 +##  Execute a domain transition to run cluster administrative domain.
@@ -78224,14 +78603,14 @@ index c8bdea2..1337d42 100644
 +        type cluster_t, cluster_exec_t;
 +    ')
  
--	files_search_var_lib($1)
--	admin_pattern($1, qdiskd_var_lib_t)
+-	files_search_locks($1)
+-	admin_pattern($1, fenced_lock_t)
 +    corecmd_search_bin($1)
 +    domtrans_pattern($1, cluster_exec_t, cluster_t)
 +')
  
--	fs_search_tmpfs($1)
--	admin_pattern($1, cluster_tmpfs)
+-	files_search_tmp($1)
+-	admin_pattern($1, fenced_tmp_t)
 +#######################################
 +## <summary>
 +##  Execute cluster init scripts in
@@ -78247,10 +78626,14 @@ index c8bdea2..1337d42 100644
 +    gen_require(`
 +        type cluster_initrc_exec_t;
 +    ')
-+
+ 
+-	files_search_var_lib($1)
+-	admin_pattern($1, qdiskd_var_lib_t)
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +')
-+
+ 
+-	fs_search_tmpfs($1)
+-	admin_pattern($1, cluster_tmpfs)
 +#####################################
 +## <summary>
 +##  Execute cluster in the caller domain.
@@ -94552,10 +94935,10 @@ index 49d688d..f07cc80 100644
  sysnet_dns_name_resolve(svnserve_t)
 diff --git a/swift.fc b/swift.fc
 new file mode 100644
-index 0000000..b07d112
+index 0000000..7e59e7e
 --- /dev/null
 +++ b/swift.fc
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
 +/usr/bin/swift-account-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-reaper		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
@@ -94569,6 +94952,7 @@ index 0000000..b07d112
 +
 +/usr/bin/swift-object-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-object-info		--	gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-object-expirer   --  gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-object-replicator		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-object-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-object-updater		--	gen_context(system_u:object_r:swift_exec_t,s0)
@@ -94751,10 +95135,10 @@ index 0000000..6a1f575
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..3d21c49
+index 0000000..43a0495
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,128 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@@ -94847,6 +95231,8 @@ index 0000000..3d21c49
 +
 +corenet_tcp_connect_xserver_port(swift_t)
 +corenet_tcp_connect_swift_port(swift_t)
++corenet_tcp_connect_keystone_port(swift_t)
++corenet_tcp_connect_memcache_port(swift_t)
 +
 +corecmd_exec_shell(swift_t)
 +corecmd_exec_bin(swift_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 86a801c..2c877f6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 62%{?dist}
+Release: 63%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -600,6 +600,29 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jul 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-63
+- If I can create a socket I need to be able to set the attributes
+- Add tcp/8775 port as neutron port
+- Add additional ports for swift ports
+- Added changes to fedora from bug bz#1082183
+- Add support for tcp/6200 port
+- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040
+- Update neutron_manage_lib_files() interface
+- Allow glustered to connect to ephemeral ports
+- Allow apache to search ipa lib files by default
+- Allow neutron to domtrans to haproxy
+- Add rhcs_domtrans_haproxy()
+- Add support for openstack-glance-* unit files
+- Add initial support for /usr/bin/glance-scrubber
+- Allow swift to connect to keystone and memcache ports.
+- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup
+- Add policies for openstack-cinder
+- Add support for /usr/bin/nova-conductor
+- Add neutron_can_network boolean
+- Allow neutron to connet to neutron port
+- Allow glance domain to use syslog
+- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t
+
 * Wed Jun 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-62
 - Allow swift to use tcp/6200 swift port
 - ALlow swift to search apache configs