diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 612563b..fcb5143 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5930,7 +5930,7 @@ index 3f6e168..51ad69a 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..50bfabf 100644
+index b31c054..872ff1b 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -5981,7 +5981,16 @@ index b31c054..50bfabf 100644
  /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
  /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
-@@ -106,6 +113,7 @@
+@@ -80,6 +87,8 @@
+ /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/nvme.*     -c  gen_context(system_u:object_r:nvme_device_t,s0)
++/dev/nvme.*     -b  gen_context(system_u:object_r:nvme_device_t,s0)
+ /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -106,6 +115,7 @@
  /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
  /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -5989,7 +5998,7 @@ index b31c054..50bfabf 100644
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
  /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +126,11 @@
+@@ -118,6 +128,11 @@
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
  ')
@@ -6001,7 +6010,7 @@ index b31c054..50bfabf 100644
  /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +142,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +144,14 @@ ifdef(`distro_suse', `
  /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6016,7 +6025,7 @@ index b31c054..50bfabf 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -172,6 +187,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +189,8 @@ ifdef(`distro_suse', `
  /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  
@@ -6025,7 +6034,7 @@ index b31c054..50bfabf 100644
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +215,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +217,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -8586,7 +8595,7 @@ index 76f285e..d36451a 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..f52e603 100644
+index 0b1a871..f260e6f 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -8667,7 +8676,20 @@ index 0b1a871..f52e603 100644
  # A more general type for mouse devices.
  #
  type mouse_device_t;
-@@ -227,6 +244,10 @@ files_mountpoint(sysfs_t)
+@@ -183,6 +200,12 @@ type nvram_device_t;
+ dev_node(nvram_device_t)
+ 
+ #
++# Type for controller device nodes
++#
++type nvme_device_t;
++dev_node(nvme_device_t)
++
++#
+ # Type for /dev/pmu
+ #
+ type power_device_t;
+@@ -227,6 +250,10 @@ files_mountpoint(sysfs_t)
  fs_type(sysfs_t)
  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
  
@@ -8678,7 +8700,7 @@ index 0b1a871..f52e603 100644
  #
  # Type for /dev/tpm
  #
-@@ -266,6 +287,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +293,15 @@ dev_node(usbmon_device_t)
  type userio_device_t;
  dev_node(userio_device_t)
  
@@ -8694,7 +8716,7 @@ index 0b1a871..f52e603 100644
  type v4l_device_t;
  dev_node(v4l_device_t)
  
-@@ -274,6 +304,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +310,7 @@ dev_node(v4l_device_t)
  #
  type vhost_device_t;
  dev_node(vhost_device_t)
@@ -8702,7 +8724,7 @@ index 0b1a871..f52e603 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -319,5 +350,6 @@ files_associate_tmp(device_node)
+@@ -319,5 +356,6 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -29277,7 +29299,7 @@ index bc0ffc8..7198bd9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..f142c45 100644
+index 79a45f6..b88e8a2 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -30744,7 +30766,7 @@ index 79a45f6..f142c45 100644
 +		type init_t;
 +	')
 +
-+	allow $1 init_t:service { start stop reload status };
++	allow $1 init_t:service manage_service_perms;
 +')
 +
 +########################################
@@ -41157,10 +41179,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..5b904b0
+index 0000000..a75ffd3
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,699 @@
+@@ -0,0 +1,700 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -41812,6 +41834,7 @@ index 0000000..5b904b0
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_sysctl_t)
++kernel_request_load_module(systemd_sysctl_t)
 +kernel_rw_all_sysctls(systemd_sysctl_t)
 +kernel_write_security_state(systemd_sysctl_t)
 +
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9696771..53800e9 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -538,7 +538,7 @@ index 058d908..2f6c3a9 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..95bf222 100644
+index eb50f07..b18f881 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -686,7 +686,7 @@ index eb50f07..95bf222 100644
  manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
  logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  
-@@ -125,48 +135,54 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,48 +135,55 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -715,6 +715,7 @@ index eb50f07..95bf222 100644
  kernel_read_ring_buffer(abrt_t)
 -kernel_read_system_state(abrt_t)
 +kernel_read_network_state(abrt_t)
++kernel_read_software_raid_state(abrt_t)
  kernel_request_load_module(abrt_t)
 +kernel_rw_usermodehelper_state(abrt_t)
  kernel_rw_kernel_sysctl(abrt_t)
@@ -748,7 +749,7 @@ index eb50f07..95bf222 100644
  
  domain_getattr_all_domains(abrt_t)
  domain_read_all_domains_state(abrt_t)
-@@ -176,29 +192,43 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +193,43 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -795,7 +796,7 @@ index eb50f07..95bf222 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +236,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +237,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -812,7 +813,7 @@ index eb50f07..95bf222 100644
  ')
  
  optional_policy(`
-@@ -222,6 +248,20 @@ optional_policy(`
+@@ -222,6 +249,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -833,7 +834,7 @@ index eb50f07..95bf222 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -234,6 +274,11 @@ optional_policy(`
+@@ -234,6 +275,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -845,7 +846,7 @@ index eb50f07..95bf222 100644
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
  	rpm_manage_cache(abrt_t)
-@@ -243,6 +288,7 @@ optional_policy(`
+@@ -243,6 +289,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -853,7 +854,7 @@ index eb50f07..95bf222 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -253,9 +299,17 @@ optional_policy(`
+@@ -253,9 +300,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -872,7 +873,7 @@ index eb50f07..95bf222 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +320,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +321,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -887,7 +888,7 @@ index eb50f07..95bf222 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +339,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +340,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -895,7 +896,7 @@ index eb50f07..95bf222 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +348,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +349,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -916,7 +917,7 @@ index eb50f07..95bf222 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +369,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +370,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -943,7 +944,7 @@ index eb50f07..95bf222 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +405,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +406,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -957,7 +958,7 @@ index eb50f07..95bf222 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +423,11 @@ optional_policy(`
+@@ -343,10 +424,11 @@ optional_policy(`
  
  #######################################
  #
@@ -971,7 +972,7 @@ index eb50f07..95bf222 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +446,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +447,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1031,7 +1032,7 @@ index eb50f07..95bf222 100644
  
  #######################################
  #
-@@ -404,7 +503,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +504,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1040,7 +1041,7 @@ index eb50f07..95bf222 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -413,16 +512,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +513,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
@@ -1084,7 +1085,7 @@ index eb50f07..95bf222 100644
  ')
  
  #######################################
-@@ -430,10 +555,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +556,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -16252,7 +16253,7 @@ index 715a826..3f0c0dc 100644
 +	')
  ')
 diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..07ba975 100644
+index ae1c1b1..0d8ca8f 100644
 --- a/couchdb.te
 +++ b/couchdb.te
 @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
@@ -16294,7 +16295,7 @@ index ae1c1b1..07ba975 100644
  
  corecmd_exec_bin(couchdb_t)
  corecmd_exec_shell(couchdb_t)
-@@ -75,14 +79,15 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +79,20 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
  corenet_tcp_bind_couchdb_port(couchdb_t)
  corenet_tcp_sendrecv_couchdb_port(couchdb_t)
  
@@ -16313,6 +16314,11 @@ index ae1c1b1..07ba975 100644
  auth_use_nsswitch(couchdb_t)
  
 -miscfiles_read_localization(couchdb_t)
++optional_policy(`
++    rpc_read_nfs_state_data(couchdb_t)
++')
++
++
 diff --git a/courier.fc b/courier.fc
 index 2f017a0..defdc87 100644
 --- a/courier.fc
@@ -17918,7 +17924,7 @@ index 1303b30..615caac 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 7de3859..c5ba745 100644
+index 7de3859..d88194b 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -11,46 +11,46 @@ gen_require(`
@@ -18631,15 +18637,20 @@ index 7de3859..c5ba745 100644
  ')
  
  optional_policy(`
-@@ -608,6 +622,7 @@ optional_policy(`
+@@ -607,7 +621,12 @@ optional_policy(`
+ ')
  
  optional_policy(`
++    snapper_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
 +	spamassassin_manage_home_client(system_cronjob_t)
  ')
  
  optional_policy(`
-@@ -615,12 +630,24 @@ optional_policy(`
+@@ -615,12 +634,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18666,7 +18677,7 @@ index 7de3859..c5ba745 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +655,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +659,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -18700,7 +18711,7 @@ index 7de3859..c5ba745 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +688,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +692,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -20721,7 +20732,7 @@ index dda905b..ccd0ba9 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb..cbf09ce 100644
+index 62d22cb..5f27946 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -20793,12 +20804,13 @@ index 62d22cb..cbf09ce 100644
  	# Local policy
  	#
  
-+	# For connecting to the bus
- 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
+-	allow $3 $1_dbusd_t:unix_stream_socket connectto;
 -	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
 -	allow $3 $1_dbusd_t:fd use;
 -	
 -	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
++	# For connecting to the bus
++	allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
  
 -	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 -	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -20846,7 +20858,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -103,91 +129,84 @@ template(`dbus_role_template',`
+@@ -103,91 +129,86 @@ template(`dbus_role_template',`
  #
  interface(`dbus_system_bus_client',`
  	gen_require(`
@@ -20856,11 +20868,13 @@ index 62d22cb..cbf09ce 100644
 +		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
  		class dbus send_msg;
 +		attribute dbusd_unconfined;
++		attribute system_bus_client;
  	')
  
 -	typeattribute $1 dbusd_system_bus_client;
 -
 +	# SE-DBus specific permissions
++	typeattribute $1 system_bus_client;
  	allow $1 { system_dbusd_t self }:dbus send_msg;
 -	allow system_dbusd_t $1:dbus send_msg;
 +	allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
@@ -20972,7 +20986,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +216,18 @@ interface(`dbus_connect_spec_session_bus',`
  ##	</summary>
  ## </param>
  #
@@ -20997,7 +21011,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',`
+@@ -211,57 +235,39 @@ interface(`dbus_session_bus_client',`
  ##	</summary>
  ## </param>
  #
@@ -21069,7 +21083,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +275,19 @@ interface(`dbus_spec_session_bus_client',`
  ##	</summary>
  ## </param>
  #
@@ -21095,7 +21109,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',`
+@@ -285,44 +295,52 @@ interface(`dbus_send_session_bus',`
  ##	</summary>
  ## </param>
  #
@@ -21162,7 +21176,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',`
+@@ -330,18 +348,18 @@ interface(`dbus_send_spec_session_bus',`
  ##	</summary>
  ## </param>
  #
@@ -21186,7 +21200,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -349,20 +365,18 @@ interface(`dbus_read_config',`
+@@ -349,20 +367,18 @@ interface(`dbus_read_config',`
  ##	</summary>
  ## </param>
  #
@@ -21212,7 +21226,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',`
+@@ -370,26 +386,20 @@ interface(`dbus_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -21245,7 +21259,7 @@ index 62d22cb..cbf09ce 100644
  ## <param name="domain">
  ##	<summary>
  ##	Type to be used as a domain.
-@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +407,67 @@ interface(`dbus_manage_lib_files',`
  ## </param>
  ## <param name="entry_point">
  ##	<summary>
@@ -21355,7 +21369,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +475,18 @@ interface(`dbus_spec_session_domain',`
  ##	</summary>
  ## </param>
  #
@@ -21379,7 +21393,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -498,98 +492,100 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +494,100 @@ interface(`dbus_connect_system_bus',`
  ##	</summary>
  ## </param>
  #
@@ -21523,7 +21537,7 @@ index 62d22cb..cbf09ce 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -597,28 +593,50 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +595,51 @@ interface(`dbus_use_system_bus_fds',`
  ##	</summary>
  ## </param>
  #
@@ -21558,12 +21572,13 @@ index 62d22cb..cbf09ce 100644
  	gen_require(`
 -		attribute dbusd_unconfined;
 +		attribute system_bus_type;
++		attribute system_bus_client;
 +		class dbus send_msg;
  	')
  
 -	typeattribute $1 dbusd_unconfined;
-+	allow $1 system_bus_type:dbus send_msg;
-+	allow system_bus_type $1:dbus send_msg;
++	allow $1 { system_bus_type system_bus_client }:dbus send_msg;
++	allow { system_bus_type system_bus_client } $1:dbus send_msg;
 +')
 +
 +#######################################
@@ -21583,10 +21598,10 @@ index 62d22cb..cbf09ce 100644
 +    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
  ')
 diff --git a/dbus.te b/dbus.te
-index c9998c8..94ff984 100644
+index c9998c8..4e0254d 100644
 --- a/dbus.te
 +++ b/dbus.te
-@@ -4,17 +4,15 @@ gen_require(`
+@@ -4,17 +4,16 @@ gen_require(`
  	class dbus all_dbus_perms;
  ')
  
@@ -21599,6 +21614,7 @@ index c9998c8..94ff984 100644
  
  attribute dbusd_unconfined;
 +attribute system_bus_type;
++attribute system_bus_client;
  attribute session_bus_type;
  
 -attribute dbusd_system_bus_client;
@@ -21607,7 +21623,7 @@ index c9998c8..94ff984 100644
  type dbusd_etc_t;
  files_config_file(dbusd_etc_t)
  
-@@ -22,9 +20,6 @@ type dbusd_exec_t;
+@@ -22,9 +21,6 @@ type dbusd_exec_t;
  corecmd_executable_file(dbusd_exec_t)
  typealias dbusd_exec_t alias system_dbusd_exec_t;
  
@@ -21617,7 +21633,7 @@ index c9998c8..94ff984 100644
  type session_dbusd_tmp_t;
  typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
  typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
-@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
+@@ -41,7 +37,8 @@ files_type(system_dbusd_var_lib_t)
  
  type system_dbusd_var_run_t;
  files_pid_file(system_dbusd_var_run_t)
@@ -21627,7 +21643,7 @@ index c9998c8..94ff984 100644
  
  ifdef(`enable_mcs',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,62 @@ ifdef(`enable_mls',`
+@@ -51,59 +48,62 @@ ifdef(`enable_mls',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -21707,7 +21723,7 @@ index c9998c8..94ff984 100644
  mls_fd_use_all_levels(system_dbusd_t)
  mls_rangetrans_target(system_dbusd_t)
  mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +123,165 @@ term_dontaudit_use_console(system_dbusd_t)
  auth_use_nsswitch(system_dbusd_t)
  auth_read_pam_console_data(system_dbusd_t)
  
@@ -21887,7 +21903,7 @@ index c9998c8..94ff984 100644
  kernel_read_kernel_sysctls(session_bus_type)
  
  corecmd_list_bin(session_bus_type)
-@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type)
  corecmd_read_bin_pipes(session_bus_type)
  corecmd_read_bin_sockets(session_bus_type)
  
@@ -21912,7 +21928,7 @@ index c9998c8..94ff984 100644
  files_dontaudit_search_var(session_bus_type)
  
  fs_getattr_romfs(session_bus_type)
-@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type)
  fs_list_inotifyfs(session_bus_type)
  fs_dontaudit_list_nfs(session_bus_type)
  
@@ -21920,7 +21936,7 @@ index c9998c8..94ff984 100644
  selinux_validate_context(session_bus_type)
  selinux_compute_access_vector(session_bus_type)
  selinux_compute_create_context(session_bus_type)
-@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type)
  auth_read_pam_console_data(session_bus_type)
  
  logging_send_audit_msgs(session_bus_type)
@@ -21962,7 +21978,7 @@ index c9998c8..94ff984 100644
  ')
  
  ########################################
-@@ -244,5 +354,9 @@ optional_policy(`
+@@ -244,5 +355,9 @@ optional_policy(`
  # Unconfined access to this module
  #
  
@@ -25025,10 +25041,10 @@ index 0000000..2a614ed
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..d03d41b
+index 0000000..a1ed007
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,281 @@
+@@ -0,0 +1,285 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -25088,7 +25104,7 @@ index 0000000..d03d41b
 +#
 +# docker local policy
 +#
-+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service setfcap };
++allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
 +allow docker_t self:process { getattr signal_perms };
 +allow docker_t self:fifo_file rw_fifo_file_perms;
 +allow docker_t self:unix_stream_socket create_stream_socket_perms;
@@ -25115,12 +25131,15 @@ index 0000000..d03d41b
 +manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
 +manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
 +manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++can_exec(docker_t, docker_tmpfs_t)
 +fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
 +allow docker_t docker_tmpfs_t:chr_file mounton;
 +
 +manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
 +manage_files_pattern(docker_t, docker_share_t, docker_share_t)
 +manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
++allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto };
 +can_exec(docker_t, docker_share_t)
 +docker_filetrans_named_content(docker_t)
 +
@@ -25149,6 +25168,7 @@ index 0000000..d03d41b
 +kernel_read_all_proc(docker_t)
 +
 +domain_use_interactive_fds(docker_t)
++domain_dontaudit_read_all_domains_state(docker_t)
 +
 +corecmd_exec_bin(docker_t)
 +corecmd_exec_shell(docker_t)
@@ -25603,7 +25623,7 @@ index d5badb7..c2431fc 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e..9b188d5 100644
+index 0aabc7e..7bd570c 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@@ -25855,7 +25875,7 @@ index 0aabc7e..9b188d5 100644
  	sendmail_domtrans(dovecot_t)
  ')
  
-@@ -227,46 +222,65 @@ optional_policy(`
+@@ -227,46 +222,67 @@ optional_policy(`
  
  ########################################
  #
@@ -25913,6 +25933,8 @@ index 0aabc7e..9b188d5 100644
  sysnet_use_ldap(dovecot_auth_t)
  
 +systemd_login_read_pid_files(dovecot_auth_t)
++systemd_dbus_chat_logind(dovecot_auth_t)
++systemd_write_inherited_logind_sessions_pipes(dovecot_auth_t)
 +
 +userdom_getattr_user_home_dirs(dovecot_auth_t)
 +
@@ -25930,7 +25952,7 @@ index 0aabc7e..9b188d5 100644
  	mysql_stream_connect(dovecot_auth_t)
  	mysql_read_config(dovecot_auth_t)
  	mysql_tcp_connect(dovecot_auth_t)
-@@ -277,53 +291,79 @@ optional_policy(`
+@@ -277,53 +293,79 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26029,7 +26051,7 @@ index 0aabc7e..9b188d5 100644
  	mta_read_queue(dovecot_deliver_t)
  ')
  
-@@ -332,5 +372,6 @@ optional_policy(`
+@@ -332,5 +374,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34009,7 +34031,7 @@ index 180f1b7..3c8757e 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 0e97e82..b983d2f 100644
+index 0e97e82..9d13873 100644
 --- a/gpg.te
 +++ b/gpg.te
 @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@@ -34083,6 +34105,7 @@ index 0e97e82..b983d2f 100644
 +#at setrlimit is for ulimit -c 0
 +allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
 +dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
++allow gpgdomain self:netlink_kobject_uevent_socket create_socket_perms;
 +
 +allow gpgdomain self:fifo_file rw_fifo_file_perms;
 +allow gpgdomain self:tcp_socket create_stream_socket_perms;
@@ -34092,7 +34115,6 @@ index 0e97e82..b983d2f 100644
  files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
  
 -manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-+
 +allow gpg_t gpg_secret_t:dir create_dir_perms;
  manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
  manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -38379,14 +38401,16 @@ index 2990962..c153d15 100644
  ')
 diff --git a/keepalived.fc b/keepalived.fc
 new file mode 100644
-index 0000000..7e6f8be
+index 0000000..9a19f91
 --- /dev/null
 +++ b/keepalived.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
 +/usr/lib/systemd/system/keepalived.*		--	gen_context(system_u:object_r:keepalived_unit_file_t,s0)
 +
 +/usr/sbin/keepalived		--	gen_context(system_u:object_r:keepalived_exec_t,s0)
 +
++/usr/libexec/keepalived(/.*)?   gen_context(system_u:object_r:keepalived_unconfined_script_exec_t,s0)
++
 +/var/run/keepalived.*		--	gen_context(system_u:object_r:keepalived_var_run_t,s0)
 diff --git a/keepalived.if b/keepalived.if
 new file mode 100644
@@ -38480,10 +38504,10 @@ index 0000000..0d61849
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..ad2d023
+index 0000000..1a78c67
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,89 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@@ -38501,18 +38525,21 @@ index 0000000..ad2d023
 +type keepalived_var_run_t;
 +files_pid_file(keepalived_var_run_t)
 +
++type keepalived_unconfined_script_exec_t;
++application_executable_file(keepalived_unconfined_script_exec_t)
++
 +########################################
 +#
 +# keepalived local policy
 +#
-+allow keepalived_t self:capability { net_admin net_raw };
++
++allow keepalived_t self:capability { net_admin net_raw kill };
 +allow keepalived_t self:process { signal_perms };
 +allow keepalived_t self:netlink_socket create_socket_perms;
 +allow keepalived_t self:netlink_route_socket nlmsg_write;
 +allow keepalived_t self:packet_socket create_socket_perms;
 +allow keepalived_t self:rawip_socket create_socket_perms;
 +
-+
 +manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
 +files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
 +
@@ -38530,6 +38557,8 @@ index 0000000..ad2d023
 +corenet_tcp_connect_snmp_port(keepalived_t)
 +corenet_tcp_connect_agentx_port(keepalived_t)
 +
++domain_read_all_domains_state(keepalived_t)
++
 +dev_read_urand(keepalived_t)
 +
 +modutils_domtrans_insmod(keepalived_t)
@@ -38537,10 +38566,37 @@ index 0000000..ad2d023
 +logging_send_syslog_msg(keepalived_t)
 +
 +optional_policy(`
++    rhcs_signull_haproxy(keepalived_t)
++')
++
++optional_policy(`
 +    snmp_manage_var_lib_files(keepalived_t)
 +    snmp_manage_var_lib_sock_files(keepalived_t)
 +    snmp_manage_var_lib_dirs(keepalived_t)
 +')
++
++########################################
++#
++# keepalived_unconfined_script_script_t local policy
++#
++
++optional_policy(`
++	type keepalived_unconfined_script_t;
++	domain_type(keepalived_unconfined_script_t)
++
++	domain_entry_file(keepalived_unconfined_script_t, keepalived_unconfined_script_exec_t)
++	role system_r types keepalived_unconfined_script_t;
++
++	domtrans_pattern(keepalived_t, keepalived_unconfined_script_exec_t, keepalived_unconfined_script_t)
++
++	allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms;
++	allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms;
++	allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl;
++
++	optional_policy(`
++		unconfined_domain(keepalived_unconfined_script_t)
++	')
++')
 diff --git a/kerberos.fc b/kerberos.fc
 index 4fe75fd..b05128a 100644
 --- a/kerberos.fc
@@ -42082,7 +42138,7 @@ index 61db5a0..9d5d255 100644
 +userdom_use_inherited_user_terminals(lockdev_t)
 +
 diff --git a/logrotate.fc b/logrotate.fc
-index a11d5be..36c8de7 100644
+index a11d5be..4cf59d3 100644
 --- a/logrotate.fc
 +++ b/logrotate.fc
 @@ -1,6 +1,9 @@
@@ -42095,7 +42151,7 @@ index a11d5be..36c8de7 100644
  /var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
 -/var/lib/logrotate\.status	--	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
 +', `
-+/var/lib/logrotate\.status --	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
++/var/lib/logrotate\.status.* --	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
 +')
 diff --git a/logrotate.if b/logrotate.if
 index dd8e01a..9cd6b0b 100644
@@ -46462,14 +46518,15 @@ index 0000000..74302c2
 +logging_send_syslog_msg(mon_procd_t)
 +
 diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..85dcd4b 100644
+index 6fcfc31..91adcaf 100644
 --- a/mongodb.fc
 +++ b/mongodb.fc
-@@ -1,9 +1,12 @@
+@@ -1,9 +1,13 @@
  /etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
  
 -/usr/bin/mongod	--	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongod	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/bin/mongos	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/share/aeolus-conductor/dbomatic/dbomatic   --   gen_context(system_u:object_r:mongod_exec_t,s0)
  
  /var/lib/mongo.*	gen_context(system_u:object_r:mongod_var_lib_t,s0)
@@ -46482,7 +46539,7 @@ index 6fcfc31..85dcd4b 100644
 +/var/run/mongo.*	                gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
 diff --git a/mongodb.te b/mongodb.te
-index 169f236..1f19104 100644
+index 169f236..dec8a95 100644
 --- a/mongodb.te
 +++ b/mongodb.te
 @@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
@@ -46517,7 +46574,7 @@ index 169f236..1f19104 100644
  
  manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
  manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-@@ -41,21 +47,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -41,21 +47,42 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
  
  manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
  manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@@ -46541,6 +46598,7 @@ index 169f236..1f19104 100644
  corenet_tcp_sendrecv_generic_if(mongod_t)
  corenet_tcp_sendrecv_generic_node(mongod_t)
 +corenet_tcp_connect_mongod_port(mongod_t)
++corenet_tcp_bind_mongod_port(mongod_t)
  corenet_tcp_bind_generic_node(mongod_t)
  
  dev_read_sysfs(mongod_t)
@@ -53498,7 +53556,7 @@ index 0641e97..cad402c 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 7b3e682..a22a321 100644
+index 7b3e682..75ed416 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -53753,7 +53811,14 @@ index 7b3e682..a22a321 100644
  ')
  
  optional_policy(`
-@@ -411,6 +427,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -406,11 +422,14 @@ allow nagios_system_plugin_t self:capability dac_override;
+ dontaudit nagios_system_plugin_t self:capability { setuid setgid };
+ 
+ read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++allow nagios_system_plugin_t nrpe_exec_t:file read_file_perms;
++allow nagios_system_plugin_t nagios_exec_t:file read_file_perms;
+ 
+ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
@@ -53761,7 +53826,7 @@ index 7b3e682..a22a321 100644
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
  corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,14 +437,18 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,14 +439,18 @@ dev_read_sysfs(nagios_system_plugin_t)
  
  domain_read_all_domains_state(nagios_system_plugin_t)
  
@@ -53782,7 +53847,7 @@ index 7b3e682..a22a321 100644
  #######################################
  #
  # Event local policy
-@@ -442,11 +463,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,9 +465,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
  
  init_domtrans_script(nagios_eventhandler_plugin_t)
  
@@ -53823,11 +53888,6 @@ index 7b3e682..a22a321 100644
  #
  
  optional_policy(`
- 	unconfined_domain(nagios_unconfined_plugin_t)
- ')
-+
-+
-+
 diff --git a/namespace.fc b/namespace.fc
 new file mode 100644
 index 0000000..ce51c8d
@@ -57059,7 +57119,7 @@ index 97df768..852d1c6 100644
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
 diff --git a/nslcd.te b/nslcd.te
-index 421bf1a..e3f91f6 100644
+index 421bf1a..fd870fc 100644
 --- a/nslcd.te
 +++ b/nslcd.te
 @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
@@ -57079,7 +57139,7 @@ index 421bf1a..e3f91f6 100644
  
  allow nslcd_t nslcd_conf_t:file read_file_perms;
  
-@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -36,16 +36,17 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
  
  kernel_read_system_state(nslcd_t)
  
@@ -57096,13 +57156,18 @@ index 421bf1a..e3f91f6 100644
 +corenet_sendrecv_ldap_client_packets(nslcd_t)
  
  dev_read_sysfs(nslcd_t)
++dev_read_urand(nslcd_t)
++
++corecmd_exec_bin(nslcd_t)
  
-@@ -54,10 +52,14 @@ auth_use_nsswitch(nslcd_t)
+ files_read_usr_symlinks(nslcd_t)
+ files_list_tmp(nslcd_t)
+@@ -54,10 +55,13 @@ auth_use_nsswitch(nslcd_t)
  
  logging_send_syslog_msg(nslcd_t)
  
 -miscfiles_read_localization(nslcd_t)
- 
+-
  userdom_read_user_tmp_files(nslcd_t)
  
  optional_policy(`
@@ -80443,7 +80508,7 @@ index 47de2d6..2c625fb 100644
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..b68d5b7 100644
+index c8bdea2..57fad67 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -80551,7 +80616,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -111,18 +108,18 @@ interface(`rhcs_getattr_fenced_exec_files',`
+@@ -111,18 +108,36 @@ interface(`rhcs_getattr_fenced_exec_files',`
  ##	</summary>
  ## </param>
  #
@@ -80565,6 +80630,24 @@ index c8bdea2..b68d5b7 100644
  	files_search_pids($1)
 -	stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
 +	stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
++')
++
++########################################
++## <summary>
++##	Send a null signal to haproxy.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rhcs_signull_haproxy',`
++	gen_require(`
++		type haproxy_t;
++	')
++
++	allow $1 haproxy_t:process signull;
  ')
  
  #####################################
@@ -80574,7 +80657,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -160,9 +157,27 @@ interface(`rhcs_domtrans_fenced',`
+@@ -160,9 +175,27 @@ interface(`rhcs_domtrans_fenced',`
  	domtrans_pattern($1, fenced_exec_t, fenced_t)
  ')
  
@@ -80603,7 +80686,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,10 +196,9 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -181,10 +214,9 @@ interface(`rhcs_rw_fenced_semaphores',`
  	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
  ')
  
@@ -80616,7 +80699,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -192,19 +206,18 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -192,19 +224,18 @@ interface(`rhcs_rw_fenced_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -80640,7 +80723,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -221,10 +234,28 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -221,10 +252,28 @@ interface(`rhcs_stream_connect_fenced',`
  	stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
  ')
  
@@ -80671,7 +80754,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -243,7 +274,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+@@ -243,7 +292,7 @@ interface(`rhcs_domtrans_gfs_controld',`
  
  ####################################
  ## <summary>
@@ -80680,7 +80763,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -264,7 +295,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+@@ -264,7 +313,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
  
  ########################################
  ## <summary>
@@ -80689,7 +80772,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,8 +316,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -285,8 +334,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
  
  #####################################
  ## <summary>
@@ -80699,7 +80782,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -324,8 +354,8 @@ interface(`rhcs_domtrans_groupd',`
+@@ -324,8 +372,8 @@ interface(`rhcs_domtrans_groupd',`
  
  #####################################
  ## <summary>
@@ -80710,7 +80793,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -342,10 +372,51 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +390,51 @@ interface(`rhcs_stream_connect_groupd',`
  	stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
  ')
  
@@ -80764,7 +80847,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -366,8 +437,7 @@ interface(`rhcs_rw_cluster_shm',`
+@@ -366,8 +455,7 @@ interface(`rhcs_rw_cluster_shm',`
  
  ####################################
  ## <summary>
@@ -80774,7 +80857,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -383,9 +453,10 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -383,9 +471,10 @@ interface(`rhcs_rw_cluster_semaphores',`
  	allow $1 cluster_domain:sem { rw_sem_perms destroy };
  ')
  
@@ -80787,7 +80870,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -393,20 +464,44 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +482,44 @@ interface(`rhcs_rw_cluster_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -80838,7 +80921,7 @@ index c8bdea2..b68d5b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -414,15 +509,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+@@ -414,15 +527,12 @@ interface(`rhcs_rw_groupd_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -80857,7 +80940,7 @@ index c8bdea2..b68d5b7 100644
  ')
  
  ######################################
-@@ -446,52 +538,361 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +556,361 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -80908,7 +80991,11 @@ index c8bdea2..b68d5b7 100644
 +	files_search_var_lib($1)
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
-+
+ 
+-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+-	domain_system_change_exemption($1)
+-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+-	allow $2 system_r;
 +#####################################
 +## <summary>
 +##  Allow domain to manage cluster lib files
@@ -80923,15 +81010,15 @@ index c8bdea2..b68d5b7 100644
 +    gen_require(`
 +        type cluster_var_lib_t;
 +    ')
-+
+ 
+-	files_search_pids($1)
+-	admin_pattern($1, cluster_pid)
 +    files_search_var_lib($1)
 +    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
--	domain_system_change_exemption($1)
--	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
--	allow $2 system_r;
+-	files_search_locks($1)
+-	admin_pattern($1, fenced_lock_t)
 +####################################
 +## <summary>
 +##  Allow domain to relabel cluster lib files
@@ -80952,8 +81039,8 @@ index c8bdea2..b68d5b7 100644
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	files_search_pids($1)
--	admin_pattern($1, cluster_pid)
+-	files_search_tmp($1)
+-	admin_pattern($1, fenced_tmp_t)
 +######################################
 +## <summary>
 +##  Execute a domain transition to run cluster administrative domain.
@@ -80969,14 +81056,14 @@ index c8bdea2..b68d5b7 100644
 +        type cluster_t, cluster_exec_t;
 +    ')
  
--	files_search_locks($1)
--	admin_pattern($1, fenced_lock_t)
+-	files_search_var_lib($1)
+-	admin_pattern($1, qdiskd_var_lib_t)
 +    corecmd_search_bin($1)
 +    domtrans_pattern($1, cluster_exec_t, cluster_t)
 +')
  
--	files_search_tmp($1)
--	admin_pattern($1, fenced_tmp_t)
+-	fs_search_tmpfs($1)
+-	admin_pattern($1, cluster_tmpfs)
 +#######################################
 +## <summary>
 +##  Execute cluster init scripts in
@@ -80992,14 +81079,10 @@ index c8bdea2..b68d5b7 100644
 +    gen_require(`
 +        type cluster_initrc_exec_t;
 +    ')
- 
--	files_search_var_lib($1)
--	admin_pattern($1, qdiskd_var_lib_t)
++
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +')
- 
--	fs_search_tmpfs($1)
--	admin_pattern($1, cluster_tmpfs)
++
 +#####################################
 +## <summary>
 +##  Execute cluster in the caller domain.
@@ -83563,10 +83646,10 @@ index 0000000..8d833ed
 +')
 diff --git a/rolekit.te b/rolekit.te
 new file mode 100644
-index 0000000..da7bd10
+index 0000000..da94453
 --- /dev/null
 +++ b/rolekit.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,47 @@
 +policy_module(rolekit, 1.0.0)
 +
 +########################################
@@ -83605,6 +83688,10 @@ index 0000000..da7bd10
 +')
 +
 +optional_policy(`
++    rpm_transition_script(rolekit_t, system_r)
++')
++
++optional_policy(`
 +    unconfined_domain_noaudit(rolekit_t)
 +    #should be changed for debugging
 +    #unconfined_domain(rolekit_t)
@@ -87843,7 +87930,7 @@ index 50d07fb..bada62f 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..d16940f 100644
+index 2b7c441..9c52c41 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -88915,7 +89002,7 @@ index 2b7c441..d16940f 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,23 +914,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +914,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -88945,7 +89032,9 @@ index 2b7c441..d16940f 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -898,13 +937,17 @@ kernel_read_system_state(winbind_t)
+ kernel_read_kernel_sysctls(winbind_t)
+ kernel_read_system_state(winbind_t)
++kernel_read_usermodehelper_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -88966,7 +89055,7 @@ index 2b7c441..d16940f 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +955,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +956,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -89025,7 +89114,7 @@ index 2b7c441..d16940f 100644
  ')
  
  optional_policy(`
-@@ -959,31 +1016,29 @@ optional_policy(`
+@@ -959,31 +1017,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -89063,7 +89152,7 @@ index 2b7c441..d16940f 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1052,38 @@ optional_policy(`
+@@ -997,25 +1053,38 @@ optional_policy(`
  
  ########################################
  #
@@ -98852,7 +98941,7 @@ index 42946bc..9f70e4c 100644
 +	can_exec($1, telepathy_executable)
  ')
 diff --git a/telepathy.te b/telepathy.te
-index 9afcbc9..1664384 100644
+index 9afcbc9..29ae736 100644
 --- a/telepathy.te
 +++ b/telepathy.te
 @@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
@@ -98964,14 +99053,14 @@ index 9afcbc9..1664384 100644
 -	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
  	corenet_tcp_connect_generic_port(telepathy_gabble_t)
 -	corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
-+	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
- ')
- 
+-')
+-
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(telepathy_gabble_t)
 -	fs_manage_nfs_files(telepathy_gabble_t)
--')
--
++	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+ ')
+ 
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(telepathy_gabble_t)
 -	fs_manage_cifs_files(telepathy_gabble_t)
@@ -99084,11 +99173,11 @@ index 9afcbc9..1664384 100644
  manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
 -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
 +userdom_search_user_home_dirs(telepathy_mission_control_t)
- 
--manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
++
 +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+
+ 
+-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
 +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
  manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
 -filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
@@ -99106,16 +99195,16 @@ index 9afcbc9..1664384 100644
  
  dev_read_rand(telepathy_mission_control_t)
  
--files_list_tmp(telepathy_mission_control_t)
--files_read_usr_files(telepathy_mission_control_t)
 +fs_getattr_all_fs(telepathy_mission_control_t)
++
+ files_list_tmp(telepathy_mission_control_t)
+-files_read_usr_files(telepathy_mission_control_t)
  
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(telepathy_mission_control_t)
 -	fs_manage_nfs_files(telepathy_mission_control_t)
 -')
-+files_list_tmp(telepathy_mission_control_t)
- 
+-
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(telepathy_mission_control_t)
 -	fs_manage_cifs_files(telepathy_mission_control_t)
@@ -99124,7 +99213,7 @@ index 9afcbc9..1664384 100644
  
  optional_policy(`
  	dbus_system_bus_client(telepathy_mission_control_t)
-@@ -248,59 +218,51 @@ optional_policy(`
+@@ -248,59 +218,47 @@ optional_policy(`
  		devicekit_dbus_chat_power(telepathy_mission_control_t)
  	')
  	optional_policy(`
@@ -99187,19 +99276,18 @@ index 9afcbc9..1664384 100644
 -corenet_sendrecv_sip_client_packets(telepathy_msn_t)
  corenet_tcp_connect_sip_port(telepathy_msn_t)
 -corenet_tcp_sendrecv_sip_port(telepathy_msn_t)
+-
+-corecmd_exec_bin(telepathy_msn_t)
+-corecmd_exec_shell(telepathy_msn_t)
+-
+-files_read_usr_files(telepathy_msn_t)
 +corenet_sendrecv_http_client_packets(telepathy_msn_t)
 +corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
 +corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
  
- corecmd_exec_bin(telepathy_msn_t)
- corecmd_exec_shell(telepathy_msn_t)
--
--files_read_usr_files(telepathy_msn_t)
-+corecmd_read_bin_symlinks(telepathy_msn_t)
- 
  init_read_state(telepathy_msn_t)
  
-@@ -310,18 +272,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -310,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t)
  
  miscfiles_read_all_certs(telepathy_msn_t)
  
@@ -99224,7 +99312,7 @@ index 9afcbc9..1664384 100644
  ')
  
  optional_policy(`
-@@ -332,43 +295,33 @@ optional_policy(`
+@@ -332,43 +291,33 @@ optional_policy(`
  	')
  ')
  
@@ -99273,7 +99361,7 @@ index 9afcbc9..1664384 100644
  ')
  
  optional_policy(`
-@@ -381,73 +334,53 @@ optional_policy(`
+@@ -381,73 +330,51 @@ optional_policy(`
  
  #######################################
  #
@@ -99340,8 +99428,8 @@ index 9afcbc9..1664384 100644
  
 -can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
 -
- corecmd_exec_bin(telepathy_sunshine_t)
- 
+-corecmd_exec_bin(telepathy_sunshine_t)
+-
 -files_read_usr_files(telepathy_sunshine_t)
 -
 -tunable_policy(`use_nfs_home_dirs',`
@@ -99357,7 +99445,7 @@ index 9afcbc9..1664384 100644
  optional_policy(`
  	xserver_read_xdm_pid(telepathy_sunshine_t)
  	xserver_stream_connect(telepathy_sunshine_t)
-@@ -455,31 +388,49 @@ optional_policy(`
+@@ -455,31 +382,51 @@ optional_policy(`
  
  #######################################
  #
@@ -99372,17 +99460,19 @@ index 9afcbc9..1664384 100644
  
  manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
 -# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
--
--manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
--# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
 +optional_policy(`
 +	gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
 +')
  
+-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
+-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
++corecmd_exec_bin(telepathy_domain)
++corecmd_exec_shell(telepathy_domain)
+ 
  dev_read_urand(telepathy_domain)
  
 -kernel_read_system_state(telepathy_domain)
- 
+-
  fs_getattr_all_fs(telepathy_domain)
  fs_search_auto_mountpoints(telepathy_domain)
 +fs_rw_inherited_tmpfs_files(telepathy_domain)
@@ -108466,10 +108556,10 @@ index ae919b9..32cbf8c 100644
  
  optional_policy(`
 diff --git a/wine.if b/wine.if
-index fd2b6cc..938c4a7 100644
+index fd2b6cc..111b5b7 100644
 --- a/wine.if
 +++ b/wine.if
-@@ -1,46 +1,57 @@
+@@ -1,46 +1,58 @@
 -## <summary>Run Windows programs in Linux.</summary>
 +## <summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
  
@@ -108545,10 +108635,11 @@ index fd2b6cc..938c4a7 100644
 +	relabel_dirs_pattern($2, wine_home_t, wine_home_t)
 +	relabel_files_pattern($2, wine_home_t, wine_home_t)
 +	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
++
  ')
  
  #######################################
-@@ -72,31 +83,25 @@ interface(`wine_role',`
+@@ -72,31 +84,26 @@ interface(`wine_role',`
  #
  template(`wine_role_template',`
  	gen_require(`
@@ -108579,6 +108670,7 @@ index fd2b6cc..938c4a7 100644
  	userdom_unpriv_usertype($1, $1_wine_t)
 -	userdom_manage_user_tmpfs_files($1_wine_t)
 +	userdom_manage_tmpfs_role($2, $1_wine_t)
++	userdom_manage_home_role($1_wine_t, $2)
  
  	domain_mmap_low($1_wine_t)
  
@@ -108589,7 +108681,7 @@ index fd2b6cc..938c4a7 100644
  	optional_policy(`
  		xserver_role($1_r, $1_wine_t)
  	')
-@@ -123,9 +128,8 @@ interface(`wine_domtrans',`
+@@ -123,9 +130,8 @@ interface(`wine_domtrans',`
  
  ########################################
  ## <summary>
@@ -108601,7 +108693,7 @@ index fd2b6cc..938c4a7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,11 +144,11 @@ interface(`wine_domtrans',`
+@@ -140,11 +146,11 @@ interface(`wine_domtrans',`
  #
  interface(`wine_run',`
  	gen_require(`
@@ -108615,7 +108707,7 @@ index fd2b6cc..938c4a7 100644
  ')
  
  ########################################
-@@ -165,3 +169,22 @@ interface(`wine_rw_shm',`
+@@ -165,3 +171,22 @@ interface(`wine_rw_shm',`
  
  	allow $1 wine_t:shm rw_shm_perms;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d1fcdf5..3a5d900 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 89%{?dist}
+Release: 90%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,22 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
+- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
+- Add 15672 as amqp_port_t
+- Allow wine domains to read user homedir content
+- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
+- Allow winbind to read usermodehelper
+- Allow telepathy domains to execute shells and bin_t
+- Allow gpgdomains to create netlink_kobject_uevent_sockets
+- Allow abrt to read software raid state. BZ (1157770)
+- Fix rhcs_signull_haproxy() interface.
+-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
+- Allow snapperd to dbus chat with system cron jobs.
+- Allow nslcd to read /dev/urandom.
+- Allow dovecot to create user's home directory when they log into IMAP.
+- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
+
 * Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
 - Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
 - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld