- Apply also patch for RHEL-6.10
- Increase nvr
Resolves: rhbz#1515499

- Allow sysadm_t to run puppet_exec_t binaries as puppet_t
Resolves: rhbz#1522765

- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t.
Resolves: rhbz#1466327

- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
Resolves: rhbz#1404152
- Label /usr/bin/puppet* binaries as puppet_exec_t
Resolves: rhbz#1386181

- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
Resolves: rhbz#1409482

- Allow glusterd to manage socket files labeled as glusterd_brick_t.
Resolves: rhbz#1393267
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs
Resolves: rhbz#1393253

- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
Related: #1326621

- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind.
Related: #1322688

- Allow ipsec_mgmt_t to access netlink route socket and set attributes for /var/run/pluto directories.
Resolves:#1289019

- Backport ipsec-mgmt fixes to have libreswan working correctly on RHEL-6.7.
Resolves:#1272437

- Allow qpidd to be working with MRG. It requires to manage symlinks in /var/lib/qpidd.
Resolves:#1257318
Resolves:#1257319

- Allow Chromium to use setcap inside its SUID sandbox.
Resolves:#1258392

- Allow nsswitch domain to search samba pid dirs to allow to connect to nmbd_t
Resolves:#1248520

- Allow logrotate get attributes of all unallocated tty device nodes.
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Allow glusterd to connect to init.
Resolves:#1230371
- Allow gluster do dbus chat with domain running as initrc_t.

- Allow sys_admin capability for gfs_controld
Resolves:#1233118

- Allow passenger to accept connection.
- Update passenger rules from RHEL7.
Resolves:#1211706
- Allow mysqld_t to use pam
- Allow mysqld_t to send audit messages
Resolves:#1214023
- Back port labeling for /etc/my.cnf.d dir.
Resolves:#1212976
- Add labeling for mariadb log/pid files/dirs.
Resolves:#1212846
- Add support for mogos service.
Resolves:#1212972

- Allow logrotate to manage virt_cache.
Resolves:#1179805

- Allow osad to execute rhn_check
- Make osad_t as unconfined domain
- Allow osad connect to jabber client port
Resolves:#1169688
- Allow rhev-agentd to access /dev/.udev/db/block:sr0

- Add virt_getattr_images and call it for sblim_sfcbd_t.
- We also need to call virt_search_images for sblim.
Resolves:#1140614

- Fix openshift_read_lib_files() interface
Resolves:#1092624

- Allow snmpd to getattr on removeable and fixed disks
Resolves:#1078275

- Add named_cache_t label for /var/lib/unbound
- Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config files
- Allow anitvirus domains to manage own log dirs

- Allow all daemons to manage cluster lib files if daemons_enable_cluster_mode boolean is enabled
Resolves:#985442

- Remove transition from virtd_t to qemu_t to stay in virtd_t if selinux_driver is None in qemu.conf
Resolves:#1015117
- Allow virt_domain to read virt_var_run_t symlinks
Resolves:#1015068

- Back port openvswitch policy
Resolves:#976000

- Remove all transitions for quantum
Resolves:#969043

- Allow myslqd-safe to execute shell_exec_t
Resolves:#966997
- Allow openshift-cron to read openshift link files in /var/lib

- Allow dirsrv-admin server to be restarted from console
Resolves:#955703

- Backport openshfit fixes
Resolves:#917966

- Additional fix for tuned
- Backport openshift changes
Resolves:#912392

- Make matahari domains as unconfined
- Allow nscd to connect to nmbd
Resolves:#901565
- Allow setcap/getcap for syslogd

- Apache is sending sinal to openshift_initrc_t now
- Dontaudit attempts by openshift to read apache logs
- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob
- Allow quota to manage openshift_var_lib_t directories
Resolves:#888381

- Allow consolehelper-gtk to connect to xserver port
- Make rhev_agentd_consolehelper_t also as permissive domain
- Allow rhev-agentd to connect to xserver
Resolves:#886210

- Fix passenger labeling
Resolves:#876075

- Allow virt domains to read/write inherited files on NFS/CIFS filesystems
Resolves:#867395

- Make condor_startd_ssh domain as unconfined
- Allow condor_startd_ssh to connect to kerberos_master port
Resolves:#852456

- Allow setroubleshootd to execute rpm
Resolves:#833053
- Add labeling for /usr/lib/flash-plugin/libflashplayer.so

- Allow fenced to manage snmpd lib files
- Allow certmonger to get attributes on init script files
Resolves:#790967
- Fix labeling for Firefox plugins
Resolves:#747993
- Add mta_signal_user_agent() interface

- Add MRG patch
Resolves:#796585

- More fixes for FIPS
Resolves:#796423

- qpidd needs to create tmpfs
- qpidd needs to read sysfs_t
Resolves:#786088

- Allow rhev_agentd_consolehelper to dbus chat with session bus
Resolves:#761065

- Update config.tgz to make cronjob working also for user_t
Resolves:#754112

- Fix dev_rw_generic_usb_dev
Resolves:#751388

- Allow httpd_dirsrv_admin_script to read and write of httpd unix stream socket

- Allow syslogd ipc_lock
- Allow syslogd to read from random number generator

- Make init_t MLS trusted for reading/writing from/to sockets at any level

- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
Resolves: #684918

- Fix init leaks
Resolves: #644820