diff --git a/policy-F15.patch b/policy-F15.patch
index 87dc4e7..b9debd1 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -633,7 +633,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..f7dcdf8 100644
+index 75ce30f..68cb617 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
@@ -665,13 +665,14 @@ index 75ce30f..f7dcdf8 100644
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +100,20 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +100,21 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
-+userdom_dontaudit_list_admin_dir(logwatch_t)
-
+-
-mta_send_mail(logwatch_t)
++userdom_dontaudit_list_admin_dir(logwatch_t)
++
+#mta_send_mail(logwatch_t)
+mta_base_mail_template(logwatch)
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
@@ -680,6 +681,7 @@ index 75ce30f..f7dcdf8 100644
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+allow logwatch_mail_t self:capability { dac_read_search dac_override };
+mta_read_home(logwatch_mail_t)
++dev_read_rand(logwatch_mail_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
@@ -8296,7 +8298,7 @@ index b06df19..c0763c2 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index edefaf3..14fc728 100644
+index edefaf3..900fc3d 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@@ -8387,7 +8389,7 @@ index edefaf3..14fc728 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,30 +147,35 @@ network_port(iscsi, tcp,3260,s0)
+@@ -125,43 +147,57 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -8425,9 +8427,10 @@ index edefaf3..14fc728 100644
-network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -156,12 +183,20 @@ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -8448,7 +8451,7 @@ index edefaf3..14fc728 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,43 +211,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -176,43 +212,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -8505,7 +8508,7 @@ index edefaf3..14fc728 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -274,5 +315,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -274,5 +316,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -8550,7 +8553,7 @@ index 3b2da10..7c29e17 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 15a7bef..ee7727f 100644
+index 15a7bef..6d68113 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -8757,7 +8760,32 @@ index 15a7bef..ee7727f 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -3048,24 +3192,6 @@ interface(`dev_rw_printer',`
+@@ -1979,6 +2123,24 @@ interface(`dev_read_kmsg',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to read the kernel messages
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_read_kmsg',`
++ gen_require(`
++ type kmsg_device_t;
++ ')
++
++ dontaudit $1 kmsg_device_t:chr_file read;
++')
++
++########################################
++## <summary>
+ ## Write to the kernel messages device
+ ## </summary>
+ ## <param name="domain">
+@@ -3048,24 +3210,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -8782,7 +8810,7 @@ index 15a7bef..ee7727f 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3613,6 +3739,24 @@ interface(`dev_manage_smartcard',`
+@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -8807,7 +8835,7 @@ index 15a7bef..ee7727f 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3773,6 +3917,42 @@ interface(`dev_rw_sysfs',`
+@@ -3773,6 +3935,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -8850,7 +8878,7 @@ index 15a7bef..ee7727f 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3942,6 +4122,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3942,6 +4140,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -8875,7 +8903,7 @@ index 15a7bef..ee7727f 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4252,11 +4450,10 @@ interface(`dev_write_video_dev',`
+@@ -4252,11 +4468,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -9263,7 +9291,7 @@ index 3517db2..ebf38e4 100644
+
+/usr/lib/debug <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..7825dd2 100644
+index ed203b2..d38c240 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -9489,7 +9517,32 @@ index ed203b2..7825dd2 100644
')
########################################
-@@ -3365,6 +3517,24 @@ interface(`files_list_mnt',`
+@@ -3287,6 +3439,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
+ dontaudit $1 lost_found_t:dir getattr;
+ ')
+
++#######################################
++## <summary>
++## List the contents of /tmp/lost-found
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_lost_found_dirs',`
++ gen_require(`
++ type lost_found_t;
++ ')
++
++ allow $1 lost_found_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete objects in
+@@ -3365,6 +3535,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -9514,7 +9567,7 @@ index ed203b2..7825dd2 100644
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3438,6 +3608,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3626,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -9539,7 +9592,7 @@ index ed203b2..7825dd2 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3917,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3935,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9640,7 +9693,7 @@ index ed203b2..7825dd2 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4196,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4214,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -9673,7 +9726,7 @@ index ed203b2..7825dd2 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4276,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4294,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -9682,7 +9735,7 @@ index ed203b2..7825dd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4284,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,17 +4302,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -9704,7 +9757,7 @@ index ed203b2..7825dd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3994,74 +4302,77 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -3994,74 +4320,77 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -9800,7 +9853,7 @@ index ed203b2..7825dd2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4069,36 +4380,111 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+@@ -4069,22 +4398,97 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
## </summary>
## </param>
#
@@ -9824,21 +9877,10 @@ index ed203b2..7825dd2 100644
## <param name="domain">
## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
--## <param name="private type">
--## <summary>
--## The type of the object to be created.
--## </summary>
--## </param>
--## <param name="object">
--## <summary>
--## The object class of the object being created.
+## Domain not to audit.
- ## </summary>
- ## </param>
- #
--interface(`files_tmp_filetrans',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
@@ -9911,24 +9953,10 @@ index ed203b2..7825dd2 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="private type">
-+## <summary>
-+## The type of the object to be created.
-+## </summary>
-+## </param>
-+## <param name="object">
-+## <summary>
-+## The object class of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`files_tmp_filetrans',`
- gen_require(`
- type tmp_t;
- ')
-@@ -4127,6 +4513,13 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## </param>
+ ## <param name="private type">
+@@ -4127,6 +4531,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -9942,7 +9970,7 @@ index ed203b2..7825dd2 100644
')
########################################
-@@ -4736,6 +5129,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5147,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -9967,7 +9995,7 @@ index ed203b2..7825dd2 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5482,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5500,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -9992,7 +10020,7 @@ index ed203b2..7825dd2 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5156,12 +5585,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5603,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -10009,7 +10037,7 @@ index ed203b2..7825dd2 100644
')
########################################
-@@ -5207,6 +5636,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5654,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -10037,7 +10065,7 @@ index ed203b2..7825dd2 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5335,6 +5785,43 @@ interface(`files_search_pids',`
+@@ -5335,6 +5803,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -10081,7 +10109,7 @@ index ed203b2..7825dd2 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6029,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6047,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -10144,7 +10172,7 @@ index ed203b2..7825dd2 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6102,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6120,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -10189,7 +10217,7 @@ index ed203b2..7825dd2 100644
')
########################################
-@@ -5844,3 +6425,247 @@ interface(`files_unconfined',`
+@@ -5844,3 +6443,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -14023,7 +14051,7 @@ index c0f858d..d639ae0 100644
accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..2724c11 100644
+index 1632f10..f6e570c 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -14035,7 +14063,15 @@ index 1632f10..2724c11 100644
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
-@@ -55,3 +57,8 @@ optional_policy(`
+@@ -32,6 +34,7 @@ files_read_usr_files(accountsd_t)
+ files_read_mnt_files(accountsd_t)
+
+ fs_list_inotifyfs(accountsd_t)
++fs_getattr_xattr_fs(accountsd_t)
+ fs_read_noxattr_fs_files(accountsd_t)
+
+ auth_use_nsswitch(accountsd_t)
+@@ -55,3 +58,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -15177,7 +15213,7 @@ index c9e1a44..1a1ba36 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..b02e348 100644
+index 08dfa0c..9dd70c3 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -15557,7 +15593,7 @@ index 08dfa0c..b02e348 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +509,71 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +509,73 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -15593,6 +15629,8 @@ index 08dfa0c..b02e348 100644
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
++ corenet_tcp_connect_oracle_port(httpd_t)
++ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
@@ -15631,7 +15669,7 @@ index 08dfa0c..b02e348 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +586,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +588,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -15642,7 +15680,7 @@ index 08dfa0c..b02e348 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +600,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,8 +602,12 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -15657,7 +15695,7 @@ index 08dfa0c..b02e348 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +613,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,6 +615,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -15670,7 +15708,7 @@ index 08dfa0c..b02e348 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +628,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +630,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -15687,7 +15725,7 @@ index 08dfa0c..b02e348 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +653,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +655,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -15698,7 +15736,7 @@ index 08dfa0c..b02e348 100644
')
optional_policy(`
-@@ -513,7 +668,13 @@ optional_policy(`
+@@ -513,7 +670,13 @@ optional_policy(`
')
optional_policy(`
@@ -15713,7 +15751,7 @@ index 08dfa0c..b02e348 100644
')
optional_policy(`
-@@ -528,7 +689,18 @@ optional_policy(`
+@@ -528,7 +691,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -15733,7 +15771,7 @@ index 08dfa0c..b02e348 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +709,13 @@ optional_policy(`
+@@ -537,8 +711,13 @@ optional_policy(`
')
optional_policy(`
@@ -15748,7 +15786,7 @@ index 08dfa0c..b02e348 100644
')
')
-@@ -556,7 +733,13 @@ optional_policy(`
+@@ -556,7 +735,13 @@ optional_policy(`
')
optional_policy(`
@@ -15762,7 +15800,7 @@ index 08dfa0c..b02e348 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +750,7 @@ optional_policy(`
+@@ -567,6 +752,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -15770,7 +15808,7 @@ index 08dfa0c..b02e348 100644
')
optional_policy(`
-@@ -577,6 +761,16 @@ optional_policy(`
+@@ -577,6 +763,16 @@ optional_policy(`
')
optional_policy(`
@@ -15787,7 +15825,7 @@ index 08dfa0c..b02e348 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +785,11 @@ optional_policy(`
+@@ -591,6 +787,11 @@ optional_policy(`
')
optional_policy(`
@@ -15799,7 +15837,7 @@ index 08dfa0c..b02e348 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +802,11 @@ optional_policy(`
+@@ -603,6 +804,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -15811,7 +15849,7 @@ index 08dfa0c..b02e348 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +822,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +824,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -15822,7 +15860,7 @@ index 08dfa0c..b02e348 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +862,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +864,29 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -15841,6 +15879,8 @@ index 08dfa0c..b02e348 100644
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_php_t)
++ corenet_sendrecv_oracle_client_packets(httpd_php_t)
')
optional_policy(`
@@ -15863,7 +15903,7 @@ index 08dfa0c..b02e348 100644
')
########################################
-@@ -699,17 +906,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +910,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -15889,13 +15929,15 @@ index 08dfa0c..b02e348 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +952,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +956,22 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_oracle_port(httpd_suexec_t)
++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
+')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
@@ -15911,7 +15953,7 @@ index 08dfa0c..b02e348 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +991,25 @@ optional_policy(`
+@@ -769,6 +997,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15937,7 +15979,7 @@ index 08dfa0c..b02e348 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1030,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1036,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -15955,7 +15997,7 @@ index 08dfa0c..b02e348 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1049,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1055,35 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -15968,6 +16010,8 @@ index 08dfa0c..b02e348 100644
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
@@ -15989,7 +16033,7 @@ index 08dfa0c..b02e348 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1095,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1103,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -15998,7 +16042,7 @@ index 08dfa0c..b02e348 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1103,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1111,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -16019,7 +16063,7 @@ index 08dfa0c..b02e348 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1129,20 @@ optional_policy(`
+@@ -842,10 +1137,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16040,7 +16084,7 @@ index 08dfa0c..b02e348 100644
')
########################################
-@@ -891,11 +1188,21 @@ optional_policy(`
+@@ -891,11 +1196,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -23807,17 +23851,31 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..41dfb2b 100644
+index 4fde46b..078ea24 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -20,6 +20,7 @@ allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+@@ -19,7 +19,10 @@ allow gnomeclock_t self:process { getattr getsched };
+ allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
++kernel_read_system_state(gnomeclock_t)
++
corecmd_exec_bin(gnomeclock_t)
+corecmd_exec_shell(gnomeclock_t)
files_read_etc_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
+@@ -39,6 +42,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ consoletype_exec(gnomeclock_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
+ policykit_domtrans_auth(gnomeclock_t)
+ policykit_read_lib(gnomeclock_t)
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 7d97298..d6b2959 100644
--- a/policy/modules/services/gpm.if
@@ -30825,7 +30883,7 @@ index 46bee12..b87375e 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..e76a63c 100644
+index 06e37d4..5a4973e 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -30991,7 +31049,7 @@ index 06e37d4..e76a63c 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -304,9 +329,17 @@ optional_policy(`
+@@ -304,9 +329,18 @@ optional_policy(`
')
optional_policy(`
@@ -31004,12 +31062,13 @@ index 06e37d4..e76a63c 100644
+optional_policy(`
+ zarafa_deliver_domtrans(postfix_local_t)
++ zarafa_stream_connect_server(postfix_local_t)
+')
+
########################################
#
# Postfix map local policy
-@@ -390,8 +423,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -390,8 +424,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
# Postfix pipe local policy
#
@@ -31019,7 +31078,7 @@ index 06e37d4..e76a63c 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +434,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +435,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -31028,7 +31087,7 @@ index 06e37d4..e76a63c 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +455,7 @@ optional_policy(`
+@@ -420,6 +456,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -31036,7 +31095,7 @@ index 06e37d4..e76a63c 100644
')
optional_policy(`
-@@ -436,6 +472,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +473,9 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -31046,7 +31105,7 @@ index 06e37d4..e76a63c 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -519,7 +558,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +559,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -31055,7 +31114,7 @@ index 06e37d4..e76a63c 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +578,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +579,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -31064,7 +31123,7 @@ index 06e37d4..e76a63c 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +627,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +628,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -31081,7 +31140,7 @@ index 06e37d4..e76a63c 100644
')
optional_policy(`
-@@ -611,8 +656,8 @@ optional_policy(`
+@@ -611,8 +657,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -31091,7 +31150,7 @@ index 06e37d4..e76a63c 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +676,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -31972,25 +32031,33 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..76da005 100644
+index 64c5f95..4d48908 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
-@@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0)
+@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
#
## <desc>
--## <p>
--## Allow Puppet client to manage all file
--## types.
--## </p>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
++## </desc>
++gen_tunable(puppet_manage_all_files, false)
++
++## <desc>
+ ## <p>
+-## Allow Puppet client to manage all file
+-## types.
++## Alow Pupper master to use connect to mysql and postgresql database
+ ## </p>
## </desc>
- gen_tunable(puppet_manage_all_files, false)
+-gen_tunable(puppet_manage_all_files, false)
++gen_tunable(puppetmaster_use_db, false)
-@@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+ type puppet_t;
+ type puppet_exec_t;
+@@ -63,7 +70,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -31999,7 +32066,7 @@ index 64c5f95..76da005 100644
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -176,24 +176,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+@@ -176,24 +183,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
@@ -32031,7 +32098,7 @@ index 64c5f95..76da005 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -214,13 +219,20 @@ domain_read_all_domains_state(puppetmaster_t)
+@@ -214,13 +226,32 @@ domain_read_all_domains_state(puppetmaster_t)
files_read_etc_files(puppetmaster_t)
files_search_var_lib(puppetmaster_t)
@@ -32049,10 +32116,22 @@ index 64c5f95..76da005 100644
+mta_send_mail(puppetmaster_t)
+
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ mysql_stream_connect(puppetmaster_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ postgresql_stream_connect(puppetmaster_t)
++ ')
++')
++
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +243,8 @@ optional_policy(`
+@@ -231,3 +262,8 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -41865,10 +41944,10 @@ index 0000000..8a909f5
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
-index 0000000..3ce4d86
+index 0000000..d7c3f51
--- /dev/null
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,134 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
@@ -41946,6 +42025,8 @@ index 0000000..3ce4d86
+allow zarafa_spooler_t self:capability { chown kill };
+allow zarafa_spooler_t self:process signal;
+
++can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
++
+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
+########################################
@@ -43523,7 +43604,7 @@ index ed152c4..a398d39 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 0580e7c..90ca53f 100644
+index 0580e7c..c45e5d8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -43856,7 +43937,15 @@ index 0580e7c..90ca53f 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +464,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -279,6 +452,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_dontaudit_read_kmsg(initrc_t)
+ dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
+@@ -291,6 +465,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -43864,7 +43953,7 @@ index 0580e7c..90ca53f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +472,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +473,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -43880,7 +43969,7 @@ index 0580e7c..90ca53f 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +497,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +498,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -43892,7 +43981,7 @@ index 0580e7c..90ca53f 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +516,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +517,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -43906,7 +43995,7 @@ index 0580e7c..90ca53f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +531,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +532,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -43915,7 +44004,7 @@ index 0580e7c..90ca53f 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +545,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +546,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -43923,7 +44012,7 @@ index 0580e7c..90ca53f 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +557,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +558,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -43931,7 +44020,7 @@ index 0580e7c..90ca53f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +578,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +579,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -43947,7 +44036,7 @@ index 0580e7c..90ca53f 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -474,7 +659,7 @@ ifdef(`distro_redhat',`
+@@ -474,7 +660,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -43956,7 +44045,7 @@ index 0580e7c..90ca53f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +705,23 @@ ifdef(`distro_redhat',`
+@@ -520,6 +706,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -43980,7 +44069,7 @@ index 0580e7c..90ca53f 100644
')
optional_policy(`
-@@ -527,10 +729,17 @@ ifdef(`distro_redhat',`
+@@ -527,10 +730,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -43998,7 +44087,7 @@ index 0580e7c..90ca53f 100644
')
optional_policy(`
-@@ -545,6 +754,35 @@ ifdef(`distro_suse',`
+@@ -545,6 +755,35 @@ ifdef(`distro_suse',`
')
')
@@ -44034,7 +44123,7 @@ index 0580e7c..90ca53f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -557,6 +795,8 @@ optional_policy(`
+@@ -557,6 +796,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -44043,7 +44132,7 @@ index 0580e7c..90ca53f 100644
')
optional_policy(`
-@@ -573,6 +813,7 @@ optional_policy(`
+@@ -573,6 +814,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -44051,7 +44140,7 @@ index 0580e7c..90ca53f 100644
')
optional_policy(`
-@@ -585,6 +826,11 @@ optional_policy(`
+@@ -585,6 +827,11 @@ optional_policy(`
')
optional_policy(`
@@ -44063,7 +44152,7 @@ index 0580e7c..90ca53f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -601,9 +847,13 @@ optional_policy(`
+@@ -601,9 +848,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -44077,7 +44166,7 @@ index 0580e7c..90ca53f 100644
')
optional_policy(`
-@@ -702,7 +952,13 @@ optional_policy(`
+@@ -702,7 +953,13 @@ optional_policy(`
')
optional_policy(`
@@ -44091,7 +44180,7 @@ index 0580e7c..90ca53f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -725,6 +981,10 @@ optional_policy(`
+@@ -725,6 +982,10 @@ optional_policy(`
')
optional_policy(`
@@ -44102,7 +44191,7 @@ index 0580e7c..90ca53f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -734,10 +994,20 @@ optional_policy(`
+@@ -734,10 +995,20 @@ optional_policy(`
')
optional_policy(`
@@ -44123,7 +44212,7 @@ index 0580e7c..90ca53f 100644
quota_manage_flags(initrc_t)
')
-@@ -746,6 +1016,10 @@ optional_policy(`
+@@ -746,6 +1017,10 @@ optional_policy(`
')
optional_policy(`
@@ -44134,7 +44223,7 @@ index 0580e7c..90ca53f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -767,8 +1041,6 @@ optional_policy(`
+@@ -767,8 +1042,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -44143,7 +44232,7 @@ index 0580e7c..90ca53f 100644
')
optional_policy(`
-@@ -777,14 +1049,21 @@ optional_policy(`
+@@ -777,14 +1050,21 @@ optional_policy(`
')
optional_policy(`
@@ -44165,7 +44254,7 @@ index 0580e7c..90ca53f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -806,11 +1085,19 @@ optional_policy(`
+@@ -806,11 +1086,19 @@ optional_policy(`
')
optional_policy(`
@@ -44186,7 +44275,7 @@ index 0580e7c..90ca53f 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -820,6 +1107,25 @@ optional_policy(`
+@@ -820,6 +1108,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -44212,7 +44301,7 @@ index 0580e7c..90ca53f 100644
')
optional_policy(`
-@@ -845,3 +1151,59 @@ optional_policy(`
+@@ -845,3 +1152,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -48122,10 +48211,10 @@ index 0000000..5f0352b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..174dd0c
+index 0000000..85d3b7a
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,103 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -48204,7 +48293,7 @@ index 0000000..174dd0c
+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_files(systemd_tmpfiles_t)
-+files_getattr_lost_found_dirs(systemd_tmpfiles_t)
++files_list_lost_found_dirs(systemd_tmpfiles_t)
+
+init_dgram_send(systemd_tmpfiles_t)
+
@@ -48214,6 +48303,7 @@ index 0000000..174dd0c
+auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
++auth_use_nsswitch(systemd_tmpfiles_t)
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 570253c..8459e8e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.12
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Mon Jan 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-8
+- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
+- Add puppetmaster_use_db boolean
+- Fixes for zarafa policy
+- Fixes for gnomeclock poliy
+- Fix systemd-tmpfiles to use auth_use_nsswitch
+
* Fri Jan 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-7
- gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir