diff --git a/policy-F16.patch b/policy-F16.patch
index 3556157..111a915 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -857,10 +857,18 @@ index 4f7bd3c..b5c346f 100644
 +	#unconfined_domain(kudzu_t)
  ')
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..ee8eaf6 100644
+index 7090dae..6eac7b9 100644
 --- a/policy/modules/admin/logrotate.te
 +++ b/policy/modules/admin/logrotate.te
-@@ -102,6 +102,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+ # for /var/lib/logrotate.status and /var/lib/logcheck
+ create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+ manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
++read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+ files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+ 
+ kernel_read_system_state(logrotate_t)
+@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t)
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
@@ -868,7 +876,7 @@ index 7090dae..ee8eaf6 100644
  
  # cjp: why is this needed?
  init_domtrans_script(logrotate_t)
-@@ -116,17 +117,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t)
  
  seutil_dontaudit_read_config(logrotate_t)
  
@@ -891,7 +899,7 @@ index 7090dae..ee8eaf6 100644
  	# for savelog
  	can_exec(logrotate_t, logrotate_exec_t)
  
-@@ -162,10 +161,20 @@ optional_policy(`
+@@ -162,10 +162,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -912,7 +920,7 @@ index 7090dae..ee8eaf6 100644
  	cups_domtrans(logrotate_t)
  ')
  
-@@ -203,7 +212,6 @@ optional_policy(`
+@@ -203,7 +213,6 @@ optional_policy(`
  	psad_domtrans(logrotate_t)
  ')
  
@@ -920,7 +928,7 @@ index 7090dae..ee8eaf6 100644
  optional_policy(`
  	samba_exec_log(logrotate_t)
  ')
-@@ -228,3 +236,14 @@ optional_policy(`
+@@ -228,3 +237,14 @@ optional_policy(`
  optional_policy(`
  	varnishd_manage_log(logrotate_t)
  ')
@@ -1827,7 +1835,7 @@ index b206bf6..bbd902f 100644
  /var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
  
 diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
-index d33daa8..c76708e 100644
+index d33daa8..8ba0f86 100644
 --- a/policy/modules/admin/rpm.if
 +++ b/policy/modules/admin/rpm.if
 @@ -13,10 +13,13 @@
@@ -1898,7 +1906,17 @@ index d33daa8..c76708e 100644
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -335,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -277,8 +320,7 @@ interface(`rpm_append_log',`
+ 		type rpm_log_t;
+ 	')
+ 
+-	logging_search_logs($1)
+-	append_files_pattern($1, rpm_log_t, rpm_log_t)
++	allow $1 rpm_log_t:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
+@@ -335,7 +377,9 @@ interface(`rpm_manage_script_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -1908,7 +1926,17 @@ index d33daa8..c76708e 100644
  ')
  
  #####################################
-@@ -375,7 +420,9 @@ interface(`rpm_manage_tmp_files',`
+@@ -354,8 +398,7 @@ interface(`rpm_append_tmp_files',`
+ 		type rpm_tmp_t;
+ 	')
+ 
+-	files_search_tmp($1)
+-	append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++	allow $1 rpm_tmp_t:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
+@@ -375,7 +418,9 @@ interface(`rpm_manage_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -1918,7 +1946,7 @@ index d33daa8..c76708e 100644
  ')
  
  ########################################
-@@ -459,6 +506,7 @@ interface(`rpm_read_db',`
+@@ -459,6 +504,7 @@ interface(`rpm_read_db',`
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1926,7 +1954,7 @@ index d33daa8..c76708e 100644
  ')
  
  ########################################
-@@ -516,7 +564,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -516,7 +562,7 @@ interface(`rpm_dontaudit_manage_db',`
  		type rpm_var_lib_t;
  	')
  
@@ -1935,7 +1963,7 @@ index d33daa8..c76708e 100644
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
-@@ -576,3 +624,66 @@ interface(`rpm_pid_filetrans',`
+@@ -576,3 +622,66 @@ interface(`rpm_pid_filetrans',`
  
  	files_pid_filetrans($1, rpm_var_run_t, file)
  ')
@@ -2489,6 +2517,19 @@ index bc00875..819a10b 100644
  	dbus_system_bus_client(smoltclient_t)
  ')
  
+diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if
+index 94c01b5..f64bd93 100644
+--- a/policy/modules/admin/sosreport.if
++++ b/policy/modules/admin/sosreport.if
+@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',`
+ 		type sosreport_tmp_t;
+ 	')
+ 
+-	append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
++	allow $1 sosreport_tmp_t:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
 index fe1c377..7660180 100644
 --- a/policy/modules/admin/sosreport.te
@@ -3863,10 +3904,10 @@ index 00a19e3..d5acf98 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..265ff1a 100644
+index f5afe78..718b7ff 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,739 @@
+@@ -1,44 +1,740 @@
  ## <summary>GNU network object model environment (GNOME)</summary>
  
 -############################################################
@@ -3976,6 +4017,7 @@ index f5afe78..265ff1a 100644
 +
 +		optional_policy(`
 +			telepathy_mission_control_read_state($1_gkeyringd_t)
++			telepathy_dbus_chat($1_gkeyringd_t)
 +		')
 +	')
 +')
@@ -4624,7 +4666,7 @@ index f5afe78..265ff1a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,37 +741,36 @@ interface(`gnome_role',`
+@@ -46,37 +742,36 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
@@ -4673,7 +4715,7 @@ index f5afe78..265ff1a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +778,42 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +779,42 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
@@ -4727,7 +4769,7 @@ index f5afe78..265ff1a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +821,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +822,17 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -4749,7 +4791,7 @@ index f5afe78..265ff1a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +839,359 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +840,354 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -4857,11 +4899,6 @@ index f5afe78..265ff1a 100644
 +##	Send and receive messages from
 +##	gkeyringd over dbus.
 +## </summary>
-+## <param name="role_prefix">
-+##	<summary>
-+##	Role prefix.
-+##	</summary>
-+## </param>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -9195,7 +9232,7 @@ index 7590165..9a7ebe5 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..cfeed29 100644
+index 3cfb128..632c30c 100644
 --- a/policy/modules/apps/telepathy.if
 +++ b/policy/modules/apps/telepathy.if
 @@ -11,7 +11,6 @@
@@ -9215,26 +9252,31 @@ index 3cfb128..cfeed29 100644
  ## </summary>
  ## <param name="user_role">
  ##	<summary>
-@@ -46,6 +45,7 @@ template(`telepathy_domain_template',`
+@@ -44,8 +43,13 @@ template(`telepathy_domain_template',`
+ ##	The type of the user domain.
+ ##	</summary>
  ## </param>
++## <param name="domain_prefix">
++##	<summary>
++##	User domain prefix to be used.
++##	</summary>
++## </param>
  #
- template(`telepathy_role', `
-+
+-template(`telepathy_role', `
++template(`telepathy_role',`
  	gen_require(`
  		attribute telepathy_domain;
  		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -78,6 +78,10 @@ template(`telepathy_role', `
+@@ -76,6 +80,8 @@ template(`telepathy_role', `
+ 	dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+ 	dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
  	dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
++
++	telepathy_dbus_chat($2)
  ')
  
-+    optional_policy(`
-+        telepathy_dbus_chat($2)
-+    ')
-+
  ########################################
- ## <summary>
- ##	Stream connect to Telepathy Gabble
-@@ -179,3 +183,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -179,3 +185,75 @@ interface(`telepathy_salut_stream_connect', `
  	stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
  	files_search_tmp($1)
  ')
@@ -9311,7 +9353,7 @@ index 3cfb128..cfeed29 100644
 +    ')
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..f605e0a 100644
+index 2533ea0..9f6298c 100644
 --- a/policy/modules/apps/telepathy.te
 +++ b/policy/modules/apps/telepathy.te
 @@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
@@ -9349,7 +9391,19 @@ index 2533ea0..f605e0a 100644
  #######################################
  #
  # Telepathy Idle local policy.
-@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -148,9 +162,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+ 
+ manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
++gnome_cache_filetrans(telepathy_logger_t, telepathy_logger_cache_home_t, file)
+ 
+ manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+ manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
++gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
+ 
+ files_read_etc_files(telepathy_logger_t)
+ files_read_usr_files(telepathy_logger_t)
+@@ -168,6 +184,11 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(telepathy_logger_t)
  ')
  
@@ -9361,7 +9415,7 @@ index 2533ea0..f605e0a 100644
  #######################################
  #
  # Telepathy Mission-Control local policy.
-@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +197,7 @@ tunable_policy(`use_samba_home_dirs',`
  manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -9369,10 +9423,14 @@ index 2533ea0..f605e0a 100644
  
  dev_read_rand(telepathy_mission_control_t)
  
-@@ -194,6 +214,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +216,16 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(telepathy_mission_control_t)
  ')
  
++optional_policy(`
++	gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
++')
++
 +# ~/.cache/.mc_connections.
 +optional_policy(`
 +        manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
@@ -9382,7 +9440,7 @@ index 2533ea0..f605e0a 100644
  #######################################
  #
  # Telepathy Butterfly and Haze local policy.
-@@ -205,8 +231,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
  manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -9394,7 +9452,7 @@ index 2533ea0..f605e0a 100644
  
  corenet_all_recvfrom_netlabel(telepathy_msn_t)
  corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +275,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +281,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
  ')
  
  optional_policy(`
@@ -9405,7 +9463,7 @@ index 2533ea0..f605e0a 100644
  	dbus_system_bus_client(telepathy_msn_t)
  
  	optional_policy(`
-@@ -365,6 +398,7 @@ dev_read_urand(telepathy_domain)
+@@ -365,6 +404,7 @@ dev_read_urand(telepathy_domain)
  
  kernel_read_system_state(telepathy_domain)
  
@@ -9413,7 +9471,7 @@ index 2533ea0..f605e0a 100644
  fs_search_auto_mountpoints(telepathy_domain)
  
  auth_use_nsswitch(telepathy_domain)
-@@ -376,5 +410,23 @@ optional_policy(`
+@@ -376,5 +416,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20425,7 +20483,7 @@ index 6480167..b32b10e 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..6650c05 100644
+index 3136c6a..a079c51 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -20771,7 +20829,7 @@ index 3136c6a..6650c05 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +453,11 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +453,14 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -20782,7 +20840,11 @@ index 3136c6a..6650c05 100644
 +corenet_tcp_bind_jboss_management_port(httpd_t)
  corenet_sendrecv_http_server_packets(httpd_t)
  # Signal self for shutdown
- corenet_tcp_connect_http_port(httpd_t)
+-corenet_tcp_connect_http_port(httpd_t)
++#corenet_tcp_connect_http_port(httpd_t)
+ 
+ dev_read_sysfs(httpd_t)
+ dev_read_rand(httpd_t)
 @@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
@@ -26350,7 +26412,7 @@ index 81eba14..d0ab56c 100644
  /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
  /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..5a0ca9f 100644
+index 1a1becd..7dbd8f6 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -26513,7 +26575,19 @@ index 1a1becd..5a0ca9f 100644
  ')
  
  ########################################
-@@ -336,13 +377,13 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +363,11 @@ interface(`dbus_connect_session_bus',`
+ ##	Allow a application domain to be started
+ ##	by the session dbus.
+ ## </summary>
++## <param name="domain_prefix">
++##	<summary>
++##	User domain prefix to be used.
++##	</summary>
++## </param>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Type to be used as a domain.
+@@ -336,13 +382,13 @@ interface(`dbus_connect_session_bus',`
  #
  interface(`dbus_session_domain',`
  	gen_require(`
@@ -26531,7 +26605,7 @@ index 1a1becd..5a0ca9f 100644
  ')
  
  ########################################
-@@ -432,14 +473,33 @@ interface(`dbus_system_domain',`
+@@ -432,14 +478,33 @@ interface(`dbus_system_domain',`
  
  	domtrans_pattern(system_dbusd_t, $2, $1)
  
@@ -26566,7 +26640,7 @@ index 1a1becd..5a0ca9f 100644
  		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
  	')
  ')
-@@ -464,26 +524,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +529,25 @@ interface(`dbus_use_system_bus_fds',`
  
  ########################################
  ## <summary>
@@ -26599,7 +26673,7 @@ index 1a1becd..5a0ca9f 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -491,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +555,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -28350,7 +28424,7 @@ index e1d7dc5..673f185 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..f4f2402 100644
+index acf6d4f..4bbff24 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -28451,7 +28525,12 @@ index acf6d4f..f4f2402 100644
  manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -204,6 +223,7 @@ kernel_read_system_state(dovecot_auth_t)
+@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+ kernel_read_all_sysctls(dovecot_auth_t)
+ kernel_read_system_state(dovecot_auth_t)
+ 
++corecmd_exec_bin(dovecot_auth_t)
++
  logging_send_audit_msgs(dovecot_auth_t)
  logging_send_syslog_msg(dovecot_auth_t)
  
@@ -28459,7 +28538,7 @@ index acf6d4f..f4f2402 100644
  dev_read_urand(dovecot_auth_t)
  
  auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -218,6 +238,8 @@ files_read_var_lib_files(dovecot_auth_t)
+@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
  
@@ -28468,7 +28547,7 @@ index acf6d4f..f4f2402 100644
  init_rw_utmp(dovecot_auth_t)
  
  miscfiles_read_localization(dovecot_auth_t)
-@@ -236,6 +258,8 @@ optional_policy(`
+@@ -236,6 +260,8 @@ optional_policy(`
  optional_policy(`
  	mysql_search_db(dovecot_auth_t)
  	mysql_stream_connect(dovecot_auth_t)
@@ -28477,7 +28556,7 @@ index acf6d4f..f4f2402 100644
  ')
  
  optional_policy(`
-@@ -243,6 +267,8 @@ optional_policy(`
+@@ -243,6 +269,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28486,7 +28565,7 @@ index acf6d4f..f4f2402 100644
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -250,23 +276,42 @@ optional_policy(`
+@@ -250,23 +278,42 @@ optional_policy(`
  #
  # dovecot deliver local policy
  #
@@ -28531,7 +28610,7 @@ index acf6d4f..f4f2402 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -302,5 +347,19 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',`
  ')
  
  optional_policy(`
@@ -49280,10 +49359,10 @@ index 2124b6a..9682c44 100644
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..5c0a7a4 100644
+index 7c5d8d8..411edf3 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
-@@ -13,14 +13,15 @@
+@@ -13,39 +13,42 @@
  #
  template(`virt_domain_template',`
  	gen_require(`
@@ -49292,6 +49371,7 @@ index 7c5d8d8..5c0a7a4 100644
 -		attribute virt_domain;
 +		attribute virt_image_type, virt_domain;
 +		attribute virt_tmpfs_type;
++		attribute virt_ptynode;
  	')
  
  	type $1_t, virt_domain;
@@ -49301,8 +49381,10 @@ index 7c5d8d8..5c0a7a4 100644
 +	mcs_untrusted_proc($1_t)
  	role system_r types $1_t;
  
- 	type $1_devpts_t;
-@@ -29,23 +30,24 @@ template(`virt_domain_template',`
+-	type $1_devpts_t;
++	type $1_devpts_t, virt_ptynode;
+ 	term_pty($1_devpts_t)
+ 
  	type $1_tmp_t;
  	files_tmp_file($1_tmp_t)
  
@@ -49332,7 +49414,7 @@ index 7c5d8d8..5c0a7a4 100644
  
  	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
  	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +59,6 @@ template(`virt_domain_template',`
+@@ -57,18 +60,6 @@ template(`virt_domain_template',`
  	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
  
@@ -49351,7 +49433,7 @@ index 7c5d8d8..5c0a7a4 100644
  	optional_policy(`
  		xserver_rw_shm($1_t)
  	')
-@@ -101,9 +91,9 @@ interface(`virt_image',`
+@@ -101,9 +92,9 @@ interface(`virt_image',`
  ##	Execute a domain transition to run virt.
  ## </summary>
  ## <param name="domain">
@@ -49363,7 +49445,7 @@ index 7c5d8d8..5c0a7a4 100644
  ## </param>
  #
  interface(`virt_domtrans',`
-@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',`
  #
  interface(`virt_read_config',`
  	gen_require(`
@@ -49379,7 +49461,7 @@ index 7c5d8d8..5c0a7a4 100644
  ')
  
  ########################################
-@@ -185,13 +175,13 @@ interface(`virt_read_config',`
+@@ -185,13 +176,13 @@ interface(`virt_read_config',`
  #
  interface(`virt_manage_config',`
  	gen_require(`
@@ -49395,7 +49477,7 @@ index 7c5d8d8..5c0a7a4 100644
  ')
  
  ########################################
-@@ -231,6 +221,24 @@ interface(`virt_read_content',`
+@@ -231,6 +222,24 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -49420,7 +49502,7 @@ index 7c5d8d8..5c0a7a4 100644
  ##	Read virt PID files.
  ## </summary>
  ## <param name="domain">
-@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',`
  
  ########################################
  ## <summary>
@@ -49457,7 +49539,7 @@ index 7c5d8d8..5c0a7a4 100644
  ##	Search virt lib directories.
  ## </summary>
  ## <param name="domain">
-@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',`
  
  ########################################
  ## <summary>
@@ -49482,7 +49564,7 @@ index 7c5d8d8..5c0a7a4 100644
  ##	Create, read, write, and delete
  ##	virt lib files.
  ## </summary>
-@@ -352,9 +408,9 @@ interface(`virt_read_log',`
+@@ -352,9 +409,9 @@ interface(`virt_read_log',`
  ##	virt log files.
  ## </summary>
  ## <param name="domain">
@@ -49494,7 +49576,7 @@ index 7c5d8d8..5c0a7a4 100644
  ## </param>
  #
  interface(`virt_append_log',`
-@@ -424,6 +480,24 @@ interface(`virt_read_images',`
+@@ -424,6 +481,24 @@ interface(`virt_read_images',`
  
  ########################################
  ## <summary>
@@ -49519,7 +49601,7 @@ index 7c5d8d8..5c0a7a4 100644
  ##	Create, read, write, and delete
  ##	svirt cache files.
  ## </summary>
-@@ -433,15 +507,15 @@ interface(`virt_read_images',`
+@@ -433,15 +508,15 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -49540,7 +49622,7 @@ index 7c5d8d8..5c0a7a4 100644
  ')
  
  ########################################
-@@ -500,6 +574,7 @@ interface(`virt_manage_images',`
+@@ -500,6 +575,7 @@ interface(`virt_manage_images',`
  interface(`virt_admin',`
  	gen_require(`
  		type virtd_t, virtd_initrc_exec_t;
@@ -49548,7 +49630,7 @@ index 7c5d8d8..5c0a7a4 100644
  	')
  
  	allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +590,188 @@ interface(`virt_admin',`
+@@ -515,4 +591,188 @@ interface(`virt_admin',`
  	virt_manage_lib_files($1)
  
  	virt_manage_log($1)
@@ -49738,14 +49820,15 @@ index 7c5d8d8..5c0a7a4 100644
 +	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
  ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..4dec4ad 100644
+index 3eca020..441810b 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
-@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
  # Declarations
  #
  
 +attribute virsh_transition_domain;
++attribute virt_ptynode;
 +
  ## <desc>
 -## <p>
@@ -49829,7 +49912,7 @@ index 3eca020..4dec4ad 100644
  
  type virt_etc_t;
  files_config_file(virt_etc_t)
-@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +73,31 @@ files_config_file(virt_etc_t)
  type virt_etc_rw_t;
  files_type(virt_etc_rw_t)
  
@@ -49862,7 +49945,7 @@ index 3eca020..4dec4ad 100644
  
  type virtd_t;
  type virtd_exec_t;
-@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +108,11 @@ domain_subj_id_change_exemption(virtd_t)
  type virtd_initrc_exec_t;
  init_script_file(virtd_initrc_exec_t)
  
@@ -49874,7 +49957,7 @@ index 3eca020..4dec4ad 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +128,12 @@ ifdef(`enable_mls',`
  
  allow svirt_t self:udp_socket create_socket_perms;
  
@@ -49891,7 +49974,7 @@ index 3eca020..4dec4ad 100644
  fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
  
  list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +154,8 @@ dev_list_sysfs(svirt_t)
  userdom_search_user_home_content(svirt_t)
  userdom_read_user_home_content_symlinks(svirt_t)
  userdom_read_all_users_state(svirt_t)
@@ -49900,7 +49983,7 @@ index 3eca020..4dec4ad 100644
  
  tunable_policy(`virt_use_comm',`
  	term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +170,15 @@ tunable_policy(`virt_use_fusefs',`
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(svirt_t)
  	fs_manage_nfs_files(svirt_t)
@@ -49916,7 +49999,7 @@ index 3eca020..4dec4ad 100644
  ')
  
  tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +187,22 @@ tunable_policy(`virt_use_sysfs',`
  
  tunable_policy(`virt_use_usb',`
  	dev_rw_usbfs(svirt_t)
@@ -49939,7 +50022,7 @@ index 3eca020..4dec4ad 100644
  	xen_rw_image_files(svirt_t)
  ')
  
-@@ -174,21 +211,34 @@ optional_policy(`
+@@ -174,21 +212,34 @@ optional_policy(`
  #
  
  allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -49978,7 +50061,7 @@ index 3eca020..4dec4ad 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +250,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +251,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -49987,6 +50070,7 @@ index 3eca020..4dec4ad 100644
 +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 +allow virtd_t virt_image_type:file relabel_file_perms;
 +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_ptynode:chr_file rw_term_perms;
 +
 +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -49995,7 +50079,7 @@ index 3eca020..4dec4ad 100644
  
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +276,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
@@ -50003,7 +50087,7 @@ index 3eca020..4dec4ad 100644
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  
-@@ -239,22 +296,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
@@ -50036,7 +50120,7 @@ index 3eca020..4dec4ad 100644
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +328,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -50055,7 +50139,7 @@ index 3eca020..4dec4ad 100644
  
  mcs_process_set_categories(virtd_t)
  
-@@ -285,16 +363,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +365,29 @@ modutils_read_module_config(virtd_t)
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
@@ -50085,7 +50169,7 @@ index 3eca020..4dec4ad 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +404,10 @@ optional_policy(`
+@@ -313,6 +406,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50096,7 +50180,7 @@ index 3eca020..4dec4ad 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -329,6 +424,10 @@ optional_policy(`
+@@ -329,6 +426,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50107,7 +50191,7 @@ index 3eca020..4dec4ad 100644
  	dnsmasq_domtrans(virtd_t)
  	dnsmasq_signal(virtd_t)
  	dnsmasq_kill(virtd_t)
-@@ -365,6 +464,12 @@ optional_policy(`
+@@ -365,6 +466,12 @@ optional_policy(`
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -50120,7 +50204,7 @@ index 3eca020..4dec4ad 100644
  ')
  
  optional_policy(`
-@@ -385,23 +490,37 @@ optional_policy(`
+@@ -385,23 +492,37 @@ optional_policy(`
  	udev_read_db(virtd_t)
  ')
  
@@ -50163,7 +50247,7 @@ index 3eca020..4dec4ad 100644
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -418,10 +537,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +539,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
  corenet_tcp_sendrecv_all_ports(virt_domain)
  corenet_tcp_bind_generic_node(virt_domain)
  corenet_tcp_bind_vnc_port(virt_domain)
@@ -50176,7 +50260,7 @@ index 3eca020..4dec4ad 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +549,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +551,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -50189,7 +50273,7 @@ index 3eca020..4dec4ad 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,8 +562,16 @@ files_search_all(virt_domain)
+@@ -440,8 +564,16 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -50207,7 +50291,7 @@ index 3eca020..4dec4ad 100644
  term_getattr_pty_fs(virt_domain)
  term_use_generic_ptys(virt_domain)
  term_use_ptmx(virt_domain)
-@@ -457,8 +587,117 @@ optional_policy(`
+@@ -457,8 +589,117 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50232,7 +50316,7 @@ index 3eca020..4dec4ad 100644
 +typealias virsh_exec_t alias xm_exec_t;
 +
 +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
-+allow virsh_t self:process { getcap getsched setcap signal };
++allow virsh_t self:process { getcap getsched setsched setcap signal };
 +allow virsh_t self:fifo_file rw_fifo_file_perms;
 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virsh_t self:tcp_socket create_stream_socket_perms;
@@ -54096,7 +54180,7 @@ index 354ce93..b8b14b9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..2ae760f 100644
+index 94fd8dd..99fe8d1 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -54165,7 +54249,7 @@ index 94fd8dd..2ae760f 100644
  	')
  
  	typeattribute $1 daemon;
-@@ -204,7 +245,23 @@ interface(`init_daemon_domain',`
+@@ -204,7 +245,24 @@ interface(`init_daemon_domain',`
  
  	role system_r types $1;
  
@@ -54184,13 +54268,14 @@ index 94fd8dd..2ae760f 100644
 +	tunable_policy(`init_systemd',`
 +		allow init_t $1:unix_stream_socket create_stream_socket_perms;
 +		allow init_t $1:unix_dgram_socket create_socket_perms;
++		allow init_t $1:tcp_socket create_stream_socket_perms;
 +		allow $1 init_t:unix_dgram_socket sendto;
 +		dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
 +	')
  
  	# daemons started from init will
  	# inherit fds from init for the console
-@@ -231,6 +288,8 @@ interface(`init_daemon_domain',`
+@@ -231,6 +289,8 @@ interface(`init_daemon_domain',`
  		ifdef(`distro_rhel4',`
  			kernel_dontaudit_use_fds($1)
  		')
@@ -54199,7 +54284,7 @@ index 94fd8dd..2ae760f 100644
  	')
  
  	optional_policy(`
-@@ -283,17 +342,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +343,20 @@ interface(`init_daemon_domain',`
  interface(`init_ranged_daemon_domain',`
  	gen_require(`
  		type initrc_t;
@@ -54221,7 +54306,7 @@ index 94fd8dd..2ae760f 100644
  	')
  ')
  
-@@ -336,15 +398,32 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,15 +399,32 @@ interface(`init_ranged_daemon_domain',`
  #
  interface(`init_system_domain',`
  	gen_require(`
@@ -54255,7 +54340,7 @@ index 94fd8dd..2ae760f 100644
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -353,6 +432,41 @@ interface(`init_system_domain',`
+@@ -353,6 +433,41 @@ interface(`init_system_domain',`
  			kernel_dontaudit_use_fds($1)
  		')
  	')
@@ -54297,7 +54382,7 @@ index 94fd8dd..2ae760f 100644
  ')
  
  ########################################
-@@ -401,16 +515,19 @@ interface(`init_system_domain',`
+@@ -401,16 +516,19 @@ interface(`init_system_domain',`
  interface(`init_ranged_system_domain',`
  	gen_require(`
  		type initrc_t;
@@ -54317,7 +54402,7 @@ index 94fd8dd..2ae760f 100644
  		mls_rangetrans_target($1)
  	')
  ')
-@@ -451,6 +568,10 @@ interface(`init_exec',`
+@@ -451,6 +569,10 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -54328,7 +54413,7 @@ index 94fd8dd..2ae760f 100644
  ')
  
  ########################################
-@@ -509,6 +630,24 @@ interface(`init_sigchld',`
+@@ -509,6 +631,24 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -54353,7 +54438,7 @@ index 94fd8dd..2ae760f 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -519,10 +658,29 @@ interface(`init_sigchld',`
+@@ -519,10 +659,29 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -54385,7 +54470,7 @@ index 94fd8dd..2ae760f 100644
  ')
  
  ########################################
-@@ -688,19 +846,25 @@ interface(`init_telinit',`
+@@ -688,19 +847,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -54412,7 +54497,7 @@ index 94fd8dd..2ae760f 100644
  	')
  ')
  
-@@ -730,7 +894,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +895,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -54421,7 +54506,7 @@ index 94fd8dd..2ae760f 100644
  ##	</summary>
  ## </param>
  #
-@@ -773,18 +937,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +938,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -54445,7 +54530,7 @@ index 94fd8dd..2ae760f 100644
  	')
  ')
  
-@@ -800,19 +965,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +966,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -54491,7 +54576,7 @@ index 94fd8dd..2ae760f 100644
  ')
  
  ########################################
-@@ -868,9 +1055,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1056,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -54506,7 +54591,7 @@ index 94fd8dd..2ae760f 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1271,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1272,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -54531,7 +54616,7 @@ index 94fd8dd..2ae760f 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1340,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1341,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -54545,7 +54630,7 @@ index 94fd8dd..2ae760f 100644
  ')
  
  ########################################
-@@ -1375,6 +1580,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1581,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -54573,7 +54658,7 @@ index 94fd8dd..2ae760f 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1687,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1688,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -54599,7 +54684,7 @@ index 94fd8dd..2ae760f 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1764,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1765,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -54624,7 +54709,7 @@ index 94fd8dd..2ae760f 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1674,7 +1937,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1938,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -54633,7 +54718,7 @@ index 94fd8dd..2ae760f 100644
  ')
  
  ########################################
-@@ -1715,6 +1978,92 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1979,92 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -54726,7 +54811,7 @@ index 94fd8dd..2ae760f 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2098,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2099,156 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -54884,7 +54969,7 @@ index 94fd8dd..2ae760f 100644
 +	read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..e30550a 100644
+index 29a9565..3e12154 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -55571,7 +55656,15 @@ index 29a9565..e30550a 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -706,7 +1014,13 @@ optional_policy(`
+@@ -689,6 +997,7 @@ optional_policy(`
+ 	lpd_list_spool(initrc_t)
+ 
+ 	lpd_read_config(initrc_t)
++	lpd_manage_spool(init_t)
+ ')
+ 
+ optional_policy(`
+@@ -706,7 +1015,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55585,7 +55678,7 @@ index 29a9565..e30550a 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +1043,10 @@ optional_policy(`
+@@ -729,6 +1044,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55596,7 +55689,7 @@ index 29a9565..e30550a 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1056,20 @@ optional_policy(`
+@@ -738,10 +1057,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55617,7 +55710,7 @@ index 29a9565..e30550a 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1078,10 @@ optional_policy(`
+@@ -750,6 +1079,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55628,7 +55721,7 @@ index 29a9565..e30550a 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1103,6 @@ optional_policy(`
+@@ -771,8 +1104,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -55637,7 +55730,7 @@ index 29a9565..e30550a 100644
  ')
  
  optional_policy(`
-@@ -790,10 +1120,12 @@ optional_policy(`
+@@ -790,10 +1121,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -55650,7 +55743,7 @@ index 29a9565..e30550a 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1137,6 @@ optional_policy(`
+@@ -805,7 +1138,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55658,7 +55751,7 @@ index 29a9565..e30550a 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -815,11 +1146,24 @@ optional_policy(`
+@@ -815,11 +1147,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55684,7 +55777,7 @@ index 29a9565..e30550a 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1173,25 @@ optional_policy(`
+@@ -829,6 +1174,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -55710,7 +55803,7 @@ index 29a9565..e30550a 100644
  ')
  
  optional_policy(`
-@@ -844,6 +1207,10 @@ optional_policy(`
+@@ -844,6 +1208,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55721,7 +55814,7 @@ index 29a9565..e30550a 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -854,3 +1221,45 @@ optional_policy(`
+@@ -854,3 +1222,45 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -55947,7 +56040,7 @@ index 55a6cd8..bec6385 100644
 +userdom_read_user_tmp_files(setkey_t)
  
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..2538de7 100644
+index 05fb364..6b895d1 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
 @@ -1,7 +1,5 @@
@@ -55959,7 +56052,7 @@ index 05fb364..2538de7 100644
  
  /sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +10,3 @@
+@@ -12,8 +10,4 @@
  /sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -55968,6 +56061,7 @@ index 05fb364..2538de7 100644
 -/usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/xtables-multi	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
 index f3e1b57..a7b2adc 100644
 --- a/policy/modules/system/iptables.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b41e2be..c0758c9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -209,6 +209,9 @@ else \
 %relabel %2 \
 fi;
 
+%define modulesList() \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \
+
 %description
 SELinux Reference Policy - modular.
 Based off of reference policy: Checked out revision  2.20091117
@@ -251,7 +254,7 @@ make clean
 # Commented out because only minimum ref policy currently builds
 %makeCmds minimum mcs n y allow
 %installCmds minimum mcs n y allow
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst
+%modulesList minimum
 %endif
 
 %if %{BUILD_MLS}
@@ -416,7 +419,7 @@ exit 0
 %defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
 %fileList minimum
-%{_usr}/share/selinux/%1/modules.lst
+%{_usr}/share/selinux/minimum/modules.lst
 %endif
 
 %if %{BUILD_MLS}
@@ -449,6 +452,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Jul 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-4
+- Allow setsched for virsh
+- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories
+- iptables: the various /sbin/ip6?tables.* are now symlinks for
+/sbin/xtables-multi
+
 * Tue Jul 12 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-3
 - A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit
 - Allow colord to interact with the users through the tmpfs file system