diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 402d0ff..f75f5e3 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..e0fc276 100644
+index 1d732f1..1a53101 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -2784,6 +2784,15 @@ index 1d732f1..e0fc276 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
+@@ -273,7 +297,7 @@ optional_policy(`
+ # Passwd local policy
+ #
+
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
+ dontaudit passwd_t self:capability sys_tty_config;
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index dbef4b0..fc9620c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4786,10 +4786,10 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..7954b3b 100644
+index 6649962..1f527f5 100644
--- a/apache.te
+++ b/apache.te
-@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
+@@ -5,280 +5,325 @@ policy_module(apache, 2.7.2)
# Declarations
#
@@ -4810,39 +4810,40 @@ index 6649962..7954b3b 100644
##
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
++
##
-##
-## Determine whether httpd can use mod_auth_pam.
-##
+##
-+## Allow Apache to use mod_auth_pam
++## Dontaudit Apache to search dirs.
+##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
-+gen_tunable(httpd_mod_auth_pam, false)
++gen_tunable(httpd_dontaudit_search_dirs, false)
##
-##
-## Determine whether httpd can use built in scripting.
-##
+##
-+## Allow Apache to use mod_auth_ntlm_winbind
++## Allow Apache to use mod_auth_pam
+##
##
-gen_tunable(httpd_builtin_scripting, false)
-+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++gen_tunable(httpd_mod_auth_pam, false)
##
-##
-## Determine whether httpd can check spam.
-##
+##
-+## Allow httpd scripts and modules execmem/execstack
++## Allow Apache to use mod_auth_ntlm_winbind
+##
##
-gen_tunable(httpd_can_check_spam, false)
-+gen_tunable(httpd_execmem, false)
++gen_tunable(httpd_mod_auth_ntlm_winbind, false)
##
-##
@@ -4850,6 +4851,13 @@ index 6649962..7954b3b 100644
-## can connect to the network using TCP.
-##
+##
++## Allow httpd scripts and modules execmem/execstack
++##
++##
++gen_tunable(httpd_execmem, false)
++
++##
++##
+## Allow httpd processes to manage IPA content
+##
+##
@@ -5255,7 +5263,7 @@ index 6649962..7954b3b 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
-@@ -286,15 +323,35 @@ init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +331,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
@@ -5291,7 +5299,7 @@ index 6649962..7954b3b 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -302,10 +359,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +367,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5304,7 +5312,7 @@ index 6649962..7954b3b 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -314,9 +369,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +377,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5327,7 +5335,7 @@ index 6649962..7954b3b 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -324,14 +389,21 @@ files_tmp_file(httpd_tmp_t)
+@@ -324,14 +397,21 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@@ -5350,7 +5358,7 @@ index 6649962..7954b3b 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -346,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +426,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5401,7 +5409,7 @@ index 6649962..7954b3b 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -381,30 +460,38 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +468,38 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5445,7 +5453,7 @@ index 6649962..7954b3b 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -412,14 +499,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5467,7 +5475,7 @@ index 6649962..7954b3b 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +544,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +552,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5533,7 +5541,7 @@ index 6649962..7954b3b 100644
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
-
++
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
@@ -5544,7 +5552,7 @@ index 6649962..7954b3b 100644
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
-+
+
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@@ -5609,16 +5617,20 @@ index 6649962..7954b3b 100644
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
++tunable_policy(`httpd_dontaudit_search_dirs',`
++ files_dontaudit_search_non_security_dirs(httpd_t)
+ ')
+
+-tunable_policy(`allow_httpd_anon_write',`
+- miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
- ')
-
--tunable_policy(`allow_httpd_anon_write',`
-- miscfiles_manage_public_files(httpd_t)
++')
++
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
@@ -5701,7 +5713,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +716,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +728,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5761,7 +5773,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +768,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +780,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5813,12 +5825,8 @@ index 6649962..7954b3b 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_dirs(httpd_t)
-+ fs_manage_cifs_files(httpd_t)
-+ fs_manage_cifs_symlinks(httpd_t)
- ')
-
+-')
+-
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
@@ -5841,8 +5849,12 @@ index 6649962..7954b3b 100644
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
--')
--
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
+ ')
+
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
@@ -5852,7 +5864,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,66 +815,56 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,66 +827,56 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5873,10 +5885,8 @@ index 6649962..7954b3b 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
@@ -5893,8 +5903,10 @@ index 6649962..7954b3b 100644
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
-')
@@ -5950,7 +5962,7 @@ index 6649962..7954b3b 100644
')
optional_policy(`
-@@ -770,6 +880,23 @@ optional_policy(`
+@@ -770,6 +892,23 @@ optional_policy(`
')
optional_policy(`
@@ -5974,7 +5986,7 @@ index 6649962..7954b3b 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -786,35 +913,55 @@ optional_policy(`
+@@ -786,35 +925,55 @@ optional_policy(`
')
optional_policy(`
@@ -6043,7 +6055,7 @@ index 6649962..7954b3b 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +969,18 @@ optional_policy(`
+@@ -822,8 +981,18 @@ optional_policy(`
')
optional_policy(`
@@ -6062,7 +6074,7 @@ index 6649962..7954b3b 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +989,7 @@ optional_policy(`
+@@ -832,6 +1001,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6070,7 +6082,7 @@ index 6649962..7954b3b 100644
')
optional_policy(`
-@@ -842,20 +1000,39 @@ optional_policy(`
+@@ -842,20 +1012,39 @@ optional_policy(`
')
optional_policy(`
@@ -6116,7 +6128,7 @@ index 6649962..7954b3b 100644
')
optional_policy(`
-@@ -863,19 +1040,35 @@ optional_policy(`
+@@ -863,19 +1052,35 @@ optional_policy(`
')
optional_policy(`
@@ -6152,7 +6164,7 @@ index 6649962..7954b3b 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1076,173 @@ optional_policy(`
+@@ -883,65 +1088,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6225,10 +6237,11 @@ index 6649962..7954b3b 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -6287,11 +6300,10 @@ index 6649962..7954b3b 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6348,7 +6360,7 @@ index 6649962..7954b3b 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1251,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1263,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6503,7 +6515,7 @@ index 6649962..7954b3b 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1335,106 @@ optional_policy(`
+@@ -1083,172 +1347,106 @@ optional_policy(`
')
')
@@ -6528,11 +6540,11 @@ index 6649962..7954b3b 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
--
++allow httpd_sys_script_t self:process getsched;
+
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6621,15 +6633,6 @@ index 6649962..7954b3b 100644
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
--')
--
--optional_policy(`
-- mysql_read_config(httpd_script_domains)
-- mysql_stream_connect(httpd_script_domains)
--
-- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- mysql_tcp_connect(httpd_script_domains)
-- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
@@ -6639,12 +6642,21 @@ index 6649962..7954b3b 100644
')
-optional_policy(`
-- postgresql_stream_connect(httpd_script_domains)
+- mysql_read_config(httpd_script_domains)
+- mysql_stream_connect(httpd_script_domains)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- mysql_tcp_connect(httpd_script_domains)
+- ')
+-')
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
+-optional_policy(`
+- postgresql_stream_connect(httpd_script_domains)
+-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
@@ -6681,7 +6693,8 @@ index 6649962..7954b3b 100644
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -6701,8 +6714,7 @@ index 6649962..7954b3b 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6740,7 +6752,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1442,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1454,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6837,7 +6849,7 @@ index 6649962..7954b3b 100644
########################################
#
-@@ -1321,8 +1517,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1529,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6854,7 +6866,7 @@ index 6649962..7954b3b 100644
')
########################################
-@@ -1330,49 +1533,38 @@ optional_policy(`
+@@ -1330,49 +1545,38 @@ optional_policy(`
# User content local policy
#
@@ -6919,7 +6931,7 @@ index 6649962..7954b3b 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1574,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1586,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -25291,7 +25303,7 @@ index 50d0084..94e1936 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..91d4dfb 100644
+index cf0e567..fed8792 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -25368,7 +25380,7 @@ index cf0e567..91d4dfb 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -131,22 +144,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +144,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -25398,6 +25410,10 @@ index cf0e567..91d4dfb 100644
-
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
++
++optional_policy(`
++ apache_read_log(fail2ban_client_t)
++')
diff --git a/fcoe.te b/fcoe.te
index ce358fb..aabd04f 100644
--- a/fcoe.te
@@ -27102,10 +27118,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..64faa9e
+index 0000000..1fb8bd5
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,45 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -27121,6 +27137,9 @@ index 0000000..64faa9e
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
++type geoclue_tmp_t;
++files_tmp_file(geoclue_tmp_t)
++
+########################################
+#
+# geoclue local policy
@@ -27131,6 +27150,10 @@ index 0000000..64faa9e
+manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
+
++manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
++manage_dirss_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
++files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
++
+corenet_tcp_connect_http_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
@@ -80608,10 +80631,10 @@ index 7fb75f4..27f5e22 100644
+userdom_getattr_user_terminals(rwho_t)
+
diff --git a/samba.fc b/samba.fc
-index b8b66ff..2ccac49 100644
+index b8b66ff..d1fa967 100644
--- a/samba.fc
+++ b/samba.fc
-@@ -1,42 +1,54 @@
+@@ -1,42 +1,55 @@
-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+
@@ -80637,6 +80660,7 @@ index b8b66ff..2ccac49 100644
+#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
@@ -80692,7 +80716,7 @@ index b8b66ff..2ccac49 100644
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-@@ -45,7 +57,11 @@
+@@ -45,7 +58,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -100334,10 +100358,10 @@ index 0000000..044be2f
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..b4d2dac
+index 0000000..1398ead
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,44 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -100377,6 +100401,8 @@ index 0000000..b4d2dac
+dev_read_urand(vmtools_t)
+dev_getattr_all_blk_files(vmtools_t)
+
++fs_getattr_all_fs(vmtools_t)
++
+auth_use_nsswitch(vmtools_t)
+
+logging_send_syslog_msg(vmtools_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d2c5efd..be21a00 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jan 30 2014 Miroslav Grepl 3.13.1-20
+- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
+- Allow geoclue to create temporary files/dirs in /tmp
+- Add httpd_dontaudit_search_dirs boolean
+- Add support for winbind.service
+- ALlow also fail2ban-client to read apache logs
+- Allow vmtools to getattr on all fs
+
* Tue Jan 28 2014 Miroslav Grepl 3.13.1-19
- Add net_admin also for systemd_passwd_agent_t
- Allow Associate usermodehelper_t to sysfs filesystem