diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index fe45995..b147456 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -235863,10 +235863,10 @@ index 0000000..a4b0917
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..9b74225
+index 0000000..1131866
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,612 @@
+@@ -0,0 +1,616 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -236474,10 +236474,14 @@ index 0000000..9b74225
+
+files_read_system_conf_files(systemd_sysctl_t)
+
++dev_write_kmsg(systemd_sysctl_t)
++
+domain_use_interactive_fds(systemd_sysctl_t)
+
+files_read_etc_files(systemd_sysctl_t)
+
++init_stream_connect(systemd_sysctl_t)
++
+logging_stream_connect_syslog(systemd_sysctl_t)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index eadbfcc..c640e4c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8023,7 +8023,7 @@ index e73fb79..2badfc0 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index ac8c91e..a63f4c2 100644
+index ac8c91e..80ecd7e 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@@ -8041,7 +8041,15 @@ index ac8c91e..a63f4c2 100644
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
-@@ -59,8 +62,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
+ manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+ append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+ create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+ setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
@@ -8051,7 +8059,7 @@ index ac8c91e..a63f4c2 100644
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -109,16 +112,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
@@ -23395,7 +23403,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..be03e22 100644
+index e0a4f46..70277e8 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -23421,7 +23429,15 @@ index e0a4f46..be03e22 100644
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
-@@ -56,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
+ # Common local policy
+ #
+
++allow glance_domain self:process signal_perms;
+ allow glance_domain self:fifo_file rw_fifo_file_perms;
+ allow glance_domain self:unix_stream_socket create_stream_socket_perms;
+ allow glance_domain self:tcp_socket { accept listen };
+@@ -56,10 +58,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -23432,7 +23448,7 @@ index e0a4f46..be03e22 100644
corenet_tcp_sendrecv_generic_if(glance_domain)
corenet_tcp_sendrecv_generic_node(glance_domain)
corenet_tcp_sendrecv_all_ports(glance_domain)
-@@ -70,13 +67,10 @@ corecmd_exec_shell(glance_domain)
+@@ -70,13 +68,10 @@ corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
@@ -23447,7 +23463,7 @@ index e0a4f46..be03e22 100644
sysnet_dns_name_resolve(glance_domain)
########################################
-@@ -88,8 +82,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +83,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -23463,7 +23479,7 @@ index e0a4f46..be03e22 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +109,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +110,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -26764,7 +26780,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..c47fa5f 100644
+index 44cf341..8424d09 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -26836,7 +26852,7 @@ index 44cf341..c47fa5f 100644
type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-@@ -52,112 +52,115 @@ type gpg_helper_t;
+@@ -52,112 +52,116 @@ type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
@@ -26912,6 +26928,7 @@ index 44cf341..c47fa5f 100644
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
++kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
corecmd_exec_shell(gpg_t)
@@ -27000,7 +27017,7 @@ index 44cf341..c47fa5f 100644
')
optional_policy(`
-@@ -165,37 +168,51 @@ optional_policy(`
+@@ -165,37 +169,51 @@ optional_policy(`
')
optional_policy(`
@@ -27063,7 +27080,7 @@ index 44cf341..c47fa5f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +224,35 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
@@ -27105,7 +27122,7 @@ index 44cf341..c47fa5f 100644
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
-@@ -239,31 +262,30 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
@@ -27148,7 +27165,7 @@ index 44cf341..c47fa5f 100644
')
optional_policy(`
-@@ -277,8 +299,17 @@ optional_policy(`
+@@ -277,8 +300,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -27167,7 +27184,7 @@ index 44cf341..c47fa5f 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +318,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@@ -45643,10 +45660,10 @@ index f5d145d..97e1148 100644
+ virt_ptrace(numad_t)
+')
diff --git a/nut.fc b/nut.fc
-index 379af96..371119d 100644
+index 379af96..41ff159 100644
--- a/nut.fc
+++ b/nut.fc
-@@ -1,23 +1,13 @@
+@@ -1,23 +1,16 @@
-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
@@ -45657,14 +45674,16 @@ index 379af96..371119d 100644
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
--
+
-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
++/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
@@ -45676,29 +45695,35 @@ index 379af96..371119d 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..56660c5 100644
+index 57c0161..d5ad79d 100644
--- a/nut.if
+++ b/nut.if
-@@ -1,39 +1 @@
+@@ -1,39 +1,25 @@
-## Network UPS Tools
--
++## nut - Network UPS Tools
+
-########################################
--##
++#######################################
+ ##
-## All of the rules required to
-## administrate an nut environment.
--##
--##
++## Execute swift server in the swift domain.
+ ##
+ ##
-##
-## Domain allowed access.
-##
--##
++##
++## Domain allowed to transition.
++##
+ ##
-##
-##
-## Role allowed access.
-##
-##
-##
--#
+ #
-interface(`nut_admin',`
- gen_require(`
- attribute nut_domain;
@@ -45712,19 +45737,28 @@ index 57c0161..56660c5 100644
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
--
++interface(`nut_systemctl',`
++ gen_require(`
++ type nut_t;
++ type nut_unit_file_t;
++ ')
+
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
--
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 nut_unit_file_t:file read_file_perms;
++ allow $1 nut_unit_file_t:service manage_service_perms;
+
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
--')
-+## nut - Network UPS Tools
++ ps_process_pattern($1, swift_t)
+ ')
diff --git a/nut.te b/nut.te
-index 0c9deb7..87c7eb7 100644
+index 0c9deb7..dbc52a1 100644
--- a/nut.te
+++ b/nut.te
-@@ -1,121 +1,105 @@
+@@ -1,121 +1,108 @@
-policy_module(nut, 1.2.4)
+policy_module(nut, 1.2.0)
@@ -45759,6 +45793,9 @@ index 0c9deb7..87c7eb7 100644
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
++
++type nut_unit_file_t;
++systemd_unit_file(nut_unit_file_t)
########################################
#
@@ -45774,20 +45811,20 @@ index 0c9deb7..87c7eb7 100644
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
--
--manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
--manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
--files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
+allow nut_upsd_t self:capability { setgid setuid dac_override };
+allow nut_upsd_t self:process signal_perms;
--kernel_read_kernel_sysctls(nut_domain)
+-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
--logging_send_syslog_msg(nut_domain)
+-kernel_read_kernel_sysctls(nut_domain)
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
+-logging_send_syslog_msg(nut_domain)
+-
-miscfiles_read_localization(nut_domain)
-
-########################################
@@ -45803,18 +45840,18 @@ index 0c9deb7..87c7eb7 100644
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
--
--stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
++kernel_read_kernel_sysctls(nut_upsd_t)
+
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
-+kernel_read_kernel_sysctls(nut_upsd_t)
-
+-
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
corenet_tcp_bind_ups_port(nut_upsd_t)
-
@@ -45842,9 +45879,9 @@ index 0c9deb7..87c7eb7 100644
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
-
-+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
@@ -45889,7 +45926,7 @@ index 0c9deb7..87c7eb7 100644
mta_send_mail(nut_upsmon_t)
optional_policy(`
-@@ -124,14 +108,27 @@ optional_policy(`
+@@ -124,14 +111,27 @@ optional_policy(`
########################################
#
@@ -45919,7 +45956,7 @@ index 0c9deb7..87c7eb7 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -144,17 +141,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
+@@ -144,17 +144,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
@@ -47570,7 +47607,7 @@ index 0000000..1a26cd5
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..4bc6574
+index 0000000..b89f7fc
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,463 @@
@@ -47970,7 +48007,7 @@ index 0000000..4bc6574
+#
+# openshift_cron local policy
+#
-+allow openshift_cron_t self:capability net_admin;
++allow openshift_cron_t self:capability { net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
@@ -48762,7 +48799,7 @@ index 9682d9a..d47f913 100644
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
-index 3dd8ada..9683812 100644
+index 3dd8ada..993c92c 100644
--- a/pacemaker.te
+++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
@@ -48839,7 +48876,7 @@ index 3dd8ada..9683812 100644
files_read_kernel_symbol_table(pacemaker_t)
fs_getattr_all_fs(pacemaker_t)
-@@ -75,9 +87,16 @@ auth_use_nsswitch(pacemaker_t)
+@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
logging_send_syslog_msg(pacemaker_t)
@@ -48855,8 +48892,12 @@ index 3dd8ada..9683812 100644
+ corosync_setattr_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)
+ corosync_rw_tmpfs(pacemaker_t)
- ')
++')
+
++optional_policy(`
++ #executes heartbeat lib files
++ rgmanager_execute_lib(pacemaker_t)
+ ')
diff --git a/pads.if b/pads.if
index 6e097c9..503c97a 100644
--- a/pads.if
@@ -62321,12 +62362,14 @@ index f1512d6..93f1ee6 100644
userdom_dontaudit_search_user_home_dirs(readahead_t)
diff --git a/realmd.fc b/realmd.fc
-index 04babe3..3c24ce4 100644
+index 04babe3..02a1f34 100644
--- a/realmd.fc
+++ b/realmd.fc
-@@ -1 +1 @@
+@@ -1 +1,3 @@
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
++
++/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
diff --git a/realmd.if b/realmd.if
index bff31df..e38693b 100644
--- a/realmd.if
@@ -62344,7 +62387,7 @@ index bff31df..e38693b 100644
##
##
diff --git a/realmd.te b/realmd.te
-index 9a8f052..5372646 100644
+index 9a8f052..ecd8eaf 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -62353,13 +62396,16 @@ index 9a8f052..5372646 100644
########################################
#
-@@ -7,11 +7,12 @@ policy_module(realmd, 1.0.2)
+@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
-init_system_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
++
++type realmd_var_cache_t;
++files_type(realmd_var_cache_t)
########################################
#
@@ -62368,7 +62414,13 @@ index 9a8f052..5372646 100644
#
allow realmd_t self:capability sys_nice;
-@@ -22,28 +23,30 @@ kernel_read_system_state(realmd_t)
+ allow realmd_t self:process setsched;
+
++manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
++manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
++
+ kernel_read_system_state(realmd_t)
+
corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)
@@ -62408,7 +62460,7 @@ index 9a8f052..5372646 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
-@@ -67,17 +70,21 @@ optional_policy(`
+@@ -67,17 +76,21 @@ optional_policy(`
optional_policy(`
nis_exec_ypbind(realmd_t)
@@ -62433,7 +62485,7 @@ index 9a8f052..5372646 100644
')
optional_policy(`
-@@ -86,5 +93,9 @@ optional_policy(`
+@@ -86,5 +99,9 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
@@ -62698,7 +62750,7 @@ index 5421af0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 1c2f9aa..5bd6fdb 100644
+index 1c2f9aa..7d70a46 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
@@ -62801,7 +62853,7 @@ index 1c2f9aa..5bd6fdb 100644
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -121,3 +139,27 @@ interface(`rgmanager_admin',`
+@@ -121,3 +139,47 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
@@ -62829,6 +62881,26 @@ index 1c2f9aa..5bd6fdb 100644
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
++
++######################################
++##
++## Allow the specified domain to execute rgmanager's lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rgmanager_execute_lib',`
++ gen_require(`
++ type rgmanager_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++ can_exec($1, rgmanager_var_lib_t)
++')
diff --git a/rgmanager.te b/rgmanager.te
index b418d1c..1ad9c12 100644
--- a/rgmanager.te
@@ -63054,15 +63126,16 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..977f2eb 100644
+index 47de2d6..d022603 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,30 @@
+@@ -1,31 +1,31 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
@@ -71365,7 +71438,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index a34eac4..4f4eaf4 100644
+index a34eac4..114c9d2 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -71460,7 +71533,7 @@ index a34eac4..4f4eaf4 100644
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
-@@ -79,20 +87,25 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@@ -71492,10 +71565,14 @@ index a34eac4..4f4eaf4 100644
+ fs_manage_cifs_files(sanlock_t)
+ fs_manage_cifs_named_sockets(sanlock_t)
+ fs_read_cifs_symlinks(sanlock_t)
++')
++
++optional_policy(`
++ rhcs_domtrans_fenced(sanlock_t)
')
optional_policy(`
-@@ -100,7 +113,7 @@ optional_policy(`
+@@ -100,7 +117,7 @@ optional_policy(`
')
optional_policy(`
@@ -87038,7 +87115,7 @@ index f93558c..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index ed40676..8042769 100644
+index ed40676..0706207 100644
--- a/xen.te
+++ b/xen.te
@@ -1,42 +1,34 @@
@@ -87360,7 +87437,12 @@ index ed40676..8042769 100644
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
-@@ -228,57 +275,39 @@ kernel_read_network_state(xend_t)
+@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t)
+ kernel_read_xen_state(xend_t)
+ kernel_rw_net_sysctls(xend_t)
+ kernel_read_network_state(xend_t)
++kernel_request_load_module(xend_t)
+
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -87424,7 +87506,7 @@ index ed40676..8042769 100644
storage_read_scsi_generic(xend_t)
-@@ -295,7 +324,8 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -87434,7 +87516,7 @@ index ed40676..8042769 100644
miscfiles_read_hwdata(xend_t)
sysnet_domtrans_dhcpc(xend_t)
-@@ -308,23 +338,7 @@ sysnet_rw_dhcp_config(xend_t)
+@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t)
userdom_dontaudit_search_user_home_dirs(xend_t)
@@ -87459,7 +87541,7 @@ index ed40676..8042769 100644
optional_policy(`
brctl_domtrans(xend_t)
-@@ -342,7 +356,7 @@ optional_policy(`
+@@ -342,7 +357,7 @@ optional_policy(`
mount_domtrans(xend_t)
')
@@ -87468,7 +87550,7 @@ index ed40676..8042769 100644
netutils_domtrans(xend_t)
')
-@@ -351,6 +365,7 @@ optional_policy(`
+@@ -351,6 +366,7 @@ optional_policy(`
')
optional_policy(`
@@ -87476,7 +87558,7 @@ index ed40676..8042769 100644
virt_search_images(xend_t)
virt_read_config(xend_t)
')
-@@ -365,13 +380,9 @@ allow xenconsoled_t self:process setrlimit;
+@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@@ -87492,7 +87574,7 @@ index ed40676..8042769 100644
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
-@@ -384,10 +395,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -87503,7 +87585,7 @@ index ed40676..8042769 100644
fs_list_tmpfs(xenconsoled_t)
fs_manage_xenfs_dirs(xenconsoled_t)
-@@ -395,15 +402,13 @@ fs_manage_xenfs_files(xenconsoled_t)
+@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t)
term_create_pty(xenconsoled_t, xen_devpts_t)
term_use_generic_ptys(xenconsoled_t)
@@ -87521,7 +87603,7 @@ index ed40676..8042769 100644
xen_stream_connect_xenstore(xenconsoled_t)
optional_policy(`
-@@ -416,24 +421,26 @@ optional_policy(`
+@@ -416,24 +422,26 @@ optional_policy(`
#
allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
@@ -87552,7 +87634,7 @@ index ed40676..8042769 100644
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
-@@ -448,157 +455,36 @@ dev_filetrans_xen(xenstored_t)
+@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3f2724c..92da680 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Feb 8 2013 Miroslav Grepl 3.12.1-11
+- Allow gpg to read fips_enabled
+- Add support for /var/cache/realmd
+- Add support for /usr/sbin/blazer_usb and systemd support for nut
+- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t
+- bitlbee wants to read own log file
+- Allow glance domain to send a signal itself
+- Allow xend_t to request that the kernel load a kernel module
+- Allow pacemaker to execute heartbeat lib files
+- cleanup new swift policy
+
* Tue Feb 5 2013 Miroslav Grepl 3.12.1-10
- Fix smartmontools
- Fix userdom_restricted_xwindows_user_template() interface