diff --git a/policy-F15.patch b/policy-F15.patch
index e1c2673..e08515a 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -3957,7 +3957,7 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus.
##
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..9024e9a 100644
+index cbf4bec..62796d8 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -4030,7 +4030,7 @@ index cbf4bec..9024e9a 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,128 @@ optional_policy(`
+@@ -266,3 +291,129 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4101,6 +4101,7 @@ index cbf4bec..9024e9a 100644
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
++miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
@@ -7385,10 +7386,21 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..94ec653 100644
+index 34c9d01..4842e56 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
+@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
+ /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
+-/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
++/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
++/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
++etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -128,8 +130,8 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -7398,7 +7410,7 @@ index 34c9d01..94ec653 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -307,6 +307,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -13273,7 +13285,7 @@ index 9e39aa5..3bfac20 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..ef353c7 100644
+index c9e1a44..1a1ba36 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -13541,7 +13553,7 @@ index c9e1a44..ef353c7 100644
## Apache cache.
##
##
-@@ -544,6 +580,27 @@ interface(`apache_delete_cache_files',`
+@@ -544,6 +580,26 @@ interface(`apache_delete_cache_files',`
########################################
##
@@ -13553,7 +13565,6 @@ index c9e1a44..ef353c7 100644
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`apache_search_config',`
+ gen_require(`
@@ -13569,7 +13580,7 @@ index c9e1a44..ef353c7 100644
## Allow the specified domain to read
## apache configuration files.
##
-@@ -694,7 +751,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -694,7 +750,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -13578,7 +13589,7 @@ index c9e1a44..ef353c7 100644
')
########################################
-@@ -740,6 +797,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +796,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
##
@@ -13604,7 +13615,7 @@ index c9e1a44..ef353c7 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +832,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +831,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -13612,7 +13623,7 @@ index c9e1a44..ef353c7 100644
')
########################################
-@@ -814,6 +891,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +890,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -13620,7 +13631,7 @@ index c9e1a44..ef353c7 100644
files_search_var($1)
')
-@@ -841,6 +919,74 @@ interface(`apache_manage_sys_content',`
+@@ -841,6 +918,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -13695,7 +13706,7 @@ index c9e1a44..ef353c7 100644
########################################
##
## Execute all web scripts in the system
-@@ -857,7 +1003,11 @@ interface(`apache_manage_sys_content',`
+@@ -857,7 +1002,11 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -13708,7 +13719,7 @@ index c9e1a44..ef353c7 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -916,9 +1066,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -916,9 +1065,10 @@ interface(`apache_domtrans_all_scripts',`
##
##
##
@@ -13720,7 +13731,7 @@ index c9e1a44..ef353c7 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -945,7 +1096,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1095,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -13729,7 +13740,7 @@ index c9e1a44..ef353c7 100644
')
########################################
-@@ -1086,6 +1237,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1236,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -13755,7 +13766,7 @@ index c9e1a44..ef353c7 100644
########################################
##
## Dontaudit attempts to write
-@@ -1102,7 +1272,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1271,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -13764,7 +13775,7 @@ index c9e1a44..ef353c7 100644
')
########################################
-@@ -1165,17 +1335,14 @@ interface(`apache_cgi_domain',`
+@@ -1165,17 +1334,14 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -13786,7 +13797,7 @@ index c9e1a44..ef353c7 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1186,10 +1353,10 @@ interface(`apache_admin',`
+@@ -1186,10 +1352,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -13799,7 +13810,7 @@ index c9e1a44..ef353c7 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1367,43 @@ interface(`apache_admin',`
+@@ -1200,14 +1366,43 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -13849,7 +13860,7 @@ index c9e1a44..ef353c7 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..973fdf0 100644
+index 08dfa0c..84e9bea 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -14453,18 +14464,19 @@ index 08dfa0c..973fdf0 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +800,10 @@ optional_policy(`
+@@ -603,6 +800,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_stream_connect_server(httpd_t)
++ zarafa_search_config(httpd_t)
+')
+
########################################
#
# Apache helper local policy
-@@ -618,6 +819,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +820,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -14475,7 +14487,7 @@ index 08dfa0c..973fdf0 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +859,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +860,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -14516,7 +14528,7 @@ index 08dfa0c..973fdf0 100644
')
########################################
-@@ -699,17 +903,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +904,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -14542,7 +14554,7 @@ index 08dfa0c..973fdf0 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +949,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +950,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -14564,7 +14576,7 @@ index 08dfa0c..973fdf0 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +988,25 @@ optional_policy(`
+@@ -769,6 +989,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -14590,7 +14602,7 @@ index 08dfa0c..973fdf0 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +1030,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +1031,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -14604,7 +14616,7 @@ index 08dfa0c..973fdf0 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1045,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1046,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -14638,7 +14650,7 @@ index 08dfa0c..973fdf0 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1091,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1092,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -14647,7 +14659,7 @@ index 08dfa0c..973fdf0 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1099,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1100,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -14668,7 +14680,7 @@ index 08dfa0c..973fdf0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1125,20 @@ optional_policy(`
+@@ -842,10 +1126,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -14689,7 +14701,7 @@ index 08dfa0c..973fdf0 100644
')
########################################
-@@ -891,11 +1184,21 @@ optional_policy(`
+@@ -891,11 +1185,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -18812,6 +18824,55 @@ index 0a1a61b..da508f4 100644
')
allow $1 ddclient_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
+index 24ba98a..0910356 100644
+--- a/policy/modules/services/ddclient.te
++++ b/policy/modules/services/ddclient.te
+@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
+ type ddclient_log_t;
+ logging_log_file(ddclient_log_t)
+
++type ddclient_tmp_t;
++files_tmp_file(ddclient_tmp_t)
++
+ type ddclient_var_t;
+ files_type(ddclient_var_t)
+
+@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
+ allow ddclient_t self:fifo_file rw_fifo_file_perms;
+ allow ddclient_t self:tcp_socket create_socket_perms;
+ allow ddclient_t self:udp_socket create_socket_perms;
++allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow ddclient_t ddclient_etc_t:file read_file_perms;
+
+ allow ddclient_t ddclient_log_t:file manage_file_perms;
+ logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+
++manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
++files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
++
+ manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+ corenet_udp_sendrecv_generic_node(ddclient_t)
+ corenet_tcp_sendrecv_all_ports(ddclient_t)
+ corenet_udp_sendrecv_all_ports(ddclient_t)
++corenet_tcp_bind_generic_node(ddclient_t)
++corenet_udp_bind_generic_node(ddclient_t)
+ corenet_tcp_connect_all_ports(ddclient_t)
+ corenet_sendrecv_all_client_packets(ddclient_t)
+
+@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
+ fs_getattr_all_fs(ddclient_t)
+ fs_search_auto_mountpoints(ddclient_t)
+
++mta_send_mail(ddclient_t)
++
+ logging_send_syslog_msg(ddclient_t)
+
+ miscfiles_read_localization(ddclient_t)
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
index 567865f..9c9e65c 100644
--- a/policy/modules/services/denyhosts.if
@@ -21686,10 +21747,19 @@ index a627b34..c899c61 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..7b9c543 100644
+index 03742d8..2a87d1e 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
-@@ -56,6 +56,10 @@ logging_send_syslog_msg(gpsd_t)
+@@ -46,6 +46,8 @@ corenet_tcp_sendrecv_all_ports(gpsd_t)
+ corenet_tcp_bind_all_nodes(gpsd_t)
+ corenet_tcp_bind_gpsd_port(gpsd_t)
+
++dev_read_sysfs(gpsd_t)
++
+ term_use_unallocated_ttys(gpsd_t)
+ term_setattr_unallocated_ttys(gpsd_t)
+
+@@ -56,6 +58,10 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
@@ -24631,7 +24701,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..1acd149 100644
+index 64268e4..6543734 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -24645,13 +24715,14 @@ index 64268e4..1acd149 100644
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
+@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
--
+
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
++allow system_mail_t mail_home_t:file manage_file_perms;
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@@ -24668,7 +24739,7 @@ index 64268e4..1acd149 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -82,6 +69,10 @@ init_use_script_ptys(system_mail_t)
+@@ -82,6 +71,10 @@ init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -24679,7 +24750,7 @@ index 64268e4..1acd149 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +83,28 @@ optional_policy(`
+@@ -92,17 +85,28 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -24709,7 +24780,7 @@ index 64268e4..1acd149 100644
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +113,8 @@ optional_policy(`
+@@ -111,6 +115,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -24718,7 +24789,7 @@ index 64268e4..1acd149 100644
')
optional_policy(`
-@@ -124,12 +128,8 @@ optional_policy(`
+@@ -124,12 +130,8 @@ optional_policy(`
')
optional_policy(`
@@ -24732,7 +24803,7 @@ index 64268e4..1acd149 100644
')
optional_policy(`
-@@ -146,6 +146,10 @@ optional_policy(`
+@@ -146,6 +148,10 @@ optional_policy(`
')
optional_policy(`
@@ -24743,7 +24814,7 @@ index 64268e4..1acd149 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +162,6 @@ optional_policy(`
+@@ -158,18 +164,6 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -24762,7 +24833,7 @@ index 64268e4..1acd149 100644
')
optional_policy(`
-@@ -189,6 +181,10 @@ optional_policy(`
+@@ -189,6 +183,10 @@ optional_policy(`
')
optional_policy(`
@@ -24773,7 +24844,7 @@ index 64268e4..1acd149 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +195,7 @@ optional_policy(`
+@@ -199,7 +197,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -24782,7 +24853,7 @@ index 64268e4..1acd149 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +216,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +218,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -24792,7 +24863,7 @@ index 64268e4..1acd149 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +246,16 @@ optional_policy(`
+@@ -249,11 +248,16 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -24809,7 +24880,7 @@ index 64268e4..1acd149 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +294,44 @@ optional_policy(`
+@@ -292,3 +296,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -24955,7 +25026,7 @@ index c358d8f..92c9dca 100644
allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..6f8b0fd 100644
+index f17583b..0dc6344 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -25105,7 +25176,7 @@ index f17583b..6f8b0fd 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +317,29 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +317,30 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -25129,6 +25200,7 @@ index f17583b..6f8b0fd 100644
+corecmd_exec_bin(munin_plugin_domain)
+corecmd_exec_shell(munin_plugin_domain)
+
++files_search_var_lib(munin_plugin_domain)
+files_read_etc_files(munin_plugin_domain)
+files_read_usr_files(munin_plugin_domain)
+
@@ -25189,7 +25261,7 @@ index e9c0982..4d3b208 100644
admin_pattern($1, mysqld_tmp_t)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..086df22 100644
+index 0a0d63c..d02b476 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -25257,8 +25329,17 @@ index 0a0d63c..086df22 100644
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+@@ -183,6 +186,8 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+ hostname_exec(mysqld_safe_t)
+
++logging_send_syslog_msg(mysqld_safe_t)
++
+ miscfiles_read_localization(mysqld_safe_t)
+
+ mysql_manage_db_files(mysqld_safe_t)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..89e1edf 100644
+index 8581040..f54b3b8 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -12,10 +12,8 @@
@@ -25281,7 +25362,16 @@ index 8581040..89e1edf 100644
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-@@ -49,7 +48,6 @@ template(`nagios_plugin_template',`
+@@ -36,6 +35,8 @@ template(`nagios_plugin_template',`
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
++ files_read_usr_files(nagios_$1_plugin_t)
++
+ miscfiles_read_localization(nagios_$1_plugin_t)
+ ')
+
+@@ -49,7 +50,6 @@ template(`nagios_plugin_template',`
## Domain to not audit.
##
##
@@ -25289,7 +25379,7 @@ index 8581040..89e1edf 100644
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
-@@ -159,6 +157,26 @@ interface(`nagios_read_tmp_files',`
+@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',`
########################################
##
@@ -25316,7 +25406,7 @@ index 8581040..89e1edf 100644
## Execute the nagios NRPE with
## a domain transition.
##
-@@ -195,11 +213,9 @@ interface(`nagios_domtrans_nrpe',`
+@@ -195,11 +215,9 @@ interface(`nagios_domtrans_nrpe',`
#
interface(`nagios_admin',`
gen_require(`
@@ -25537,7 +25627,7 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..4898ef8 100644
+index 0619395..5428249 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -25640,10 +25730,14 @@ index 0619395..4898ef8 100644
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
')
-@@ -202,6 +230,13 @@ optional_policy(`
+@@ -202,6 +230,17 @@ optional_policy(`
')
optional_policy(`
++ gnome_dontaudit_search_config(NetworkManager_t)
++')
++
++optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
+ ipsec_kill_mgmt(NetworkManager_t)
+ ipsec_signal_mgmt(NetworkManager_t)
@@ -25654,7 +25748,7 @@ index 0619395..4898ef8 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +254,7 @@ optional_policy(`
+@@ -219,6 +258,7 @@ optional_policy(`
')
optional_policy(`
@@ -25662,7 +25756,7 @@ index 0619395..4898ef8 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +299,7 @@ optional_policy(`
+@@ -263,6 +303,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -32577,10 +32671,15 @@ index e30bb63..6e627d6 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
-index f1aea88..c3ffa9d 100644
+index f1aea88..a5a75a8 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
-@@ -42,7 +42,7 @@ interface(`sasl_admin',`
+@@ -38,11 +38,11 @@ interface(`sasl_connect',`
+ #
+ interface(`sasl_admin',`
+ gen_require(`
+- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
++ type saslauthd_t, saslauthd_var_run_t;
type saslauthd_initrc_exec_t;
')
@@ -32589,6 +32688,16 @@ index f1aea88..c3ffa9d 100644
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+@@ -50,9 +50,6 @@ interface(`sasl_admin',`
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_tmp($1)
+- admin_pattern($1, saslauthd_tmp_t)
+-
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+ ')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 22184ad..d87a3f0 100644
--- a/policy/modules/services/sasl.te
@@ -39095,10 +39204,10 @@ index 0000000..56cb5af
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
-index 0000000..4f2dde8
+index 0000000..8a909f5
--- /dev/null
+++ b/policy/modules/services/zarafa.if
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,122 @@
+## policy for zarafa services
+
+######################################
@@ -39201,6 +39310,26 @@ index 0000000..4f2dde8
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
++
++######################################
++##
++## Allow the specified domain to search
++## zarafa configuration dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zarafa_search_config',`
++ gen_require(`
++ type zarafa_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 zarafa_etc_t:dir search_dir_perms;
++')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
index 0000000..3ce4d86
@@ -43010,14 +43139,16 @@ index 72c746e..e3d06fd 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..3490497 100644
+index 8b5c196..b195f9d 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
-@@ -16,6 +16,14 @@ interface(`mount_domtrans',`
+@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
')
domtrans_pattern($1, mount_exec_t, mount_t)
+ mount_domtrans_fusermount($1)
++
++ ps_process_pattern(mount_t, $1)
+
+ifdef(`hide_broken_symptoms', `
+ dontaudit mount_t $1:unix_stream_socket { read write };
@@ -43028,7 +43159,7 @@ index 8b5c196..3490497 100644
')
########################################
-@@ -45,12 +53,58 @@ interface(`mount_run',`
+@@ -45,12 +55,58 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -43088,7 +43219,7 @@ index 8b5c196..3490497 100644
## Execute mount in the caller domain.
##
##
-@@ -84,9 +138,11 @@ interface(`mount_exec',`
+@@ -84,9 +140,11 @@ interface(`mount_exec',`
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -43100,7 +43231,7 @@ index 8b5c196..3490497 100644
')
########################################
-@@ -95,7 +151,7 @@ interface(`mount_signal',`
+@@ -95,7 +153,7 @@ interface(`mount_signal',`
##
##
##
@@ -43109,7 +43240,7 @@ index 8b5c196..3490497 100644
##
##
#
-@@ -176,4 +232,109 @@ interface(`mount_run_unconfined',`
+@@ -176,4 +234,109 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b1d9393..7dc2435 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,16 @@ exit 0
%endif
%changelog
+* Mon Nov 15 2010 Miroslav Grepl 3.9.8-7
+- Allow nagios plugins to read usr files
+- Allow mysqld-safe to send system log messages
+- Fixes fpr ddclient policy
+- Fix sasl_admin interface
+- Allow apache to search zarafa config
+- Allow munin plugins to search /var/lib directory
+- Allow gpsd to read sysfs_t
+- Fix labels on /etc/mcelog/triggers to bin_t
+
* Fri Nov 12 2010 Dan Walsh 3.9.8-6
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp