Description: misc patches for daemon policy
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-09-13

Index: refpolicy/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy/policy/modules/contrib/fetchmail.te
@@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchm
 setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
 
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
 allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
 mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
 
Index: refpolicy/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mysql.te
+++ refpolicy/policy/modules/contrib/mysql.te
@@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_t
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
+allow mysqld_t self:unix_stream_socket { connectto accept listen };
 allow mysqld_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -99,6 +99,7 @@ manage_sock_files_pattern(mysqld_t, mysq
 files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(mysqld_t)
+kernel_read_vm_sysctls(mysqld_t)
 kernel_read_network_state(mysqld_t)
 kernel_read_system_state(mysqld_t)
 
@@ -165,7 +166,7 @@ allow mysqld_safe_t self:capability { ch
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { signull sigkill };
 
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -190,7 +191,8 @@ kernel_read_kernel_sysctls(mysqld_safe_t
 corecmd_exec_bin(mysqld_safe_t)
 corecmd_exec_shell(mysqld_safe_t)
 
-dev_list_sysfs(mysqld_safe_t)
+dev_read_sysfs(mysqld_safe_t)
+
 
 domain_read_all_domains_state(mysqld_safe_t)
 
@@ -207,6 +209,10 @@ miscfiles_read_localization(mysqld_safe_
 userdom_search_user_home_dirs(mysqld_safe_t)
 
 optional_policy(`
+	dpkg_read_db(mysqld_safe_t)
+')
+
+optional_policy(`
 	hostname_exec(mysqld_safe_t)
 ')
 
Index: refpolicy/policy/modules/contrib/tor.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/tor.te
+++ refpolicy/policy/modules/contrib/tor.te
@@ -41,7 +41,7 @@ init_daemon_pid_file(tor_var_run_t, dir,
 # Local policy
 #
 
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };
@@ -62,6 +62,7 @@ create_files_pattern(tor_t, tor_var_log_
 setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
+fs_search_tmpfs(tor_t)
 
 manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
 manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
Index: refpolicy/policy/modules/contrib/cron.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.if
+++ refpolicy/policy/modules/contrib/cron.if
@@ -13,7 +13,7 @@
 template(`cron_common_crontab_template',`
 	gen_require(`
 		attribute crontab_domain;
-		type crontab_exec_t;
+		type crontab_exec_t, crond_t;
 	')
 
 	##############################
@@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
 	# Declarations
 	#
 
-	type $1_t, crontab_domain;
-	userdom_user_application_domain($1_t, crontab_exec_t)
+	type $1_crontab_t, crontab_domain;
+	userdom_user_application_domain($1_crontab_t, crontab_exec_t)
 
-	type $1_tmp_t;
-	userdom_user_tmp_file($1_tmp_t)
+	type $1_crontab_tmp_t;
+	userdom_user_tmp_file($1_crontab_tmp_t)
+
+	type $1_cron_spool_t, cron_spool_type;
 
 	##############################
 	#
 	# Local policy
 	#
 
-	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+	manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
+
+	auth_domtrans_chk_passwd($1_crontab_t)
+	auth_use_nsswitch($1_crontab_t)
+	allow $1_crontab_t self:capability fsetid;
+
+	files_type($1_cron_spool_t)
+	ubac_constrained($1_cron_spool_t)
+	mta_system_content($1_cron_spool_t)
 
-	auth_domtrans_chk_passwd($1_t)
-	auth_use_nsswitch($1_t)
+	manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
+	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
 ')
 
 ########################################
@@ -51,15 +61,15 @@ template(`cron_common_crontab_template',
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	stem of domain for the role.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`cron_role',`
 	gen_require(`
-		type cronjob_t, crontab_t, crontab_exec_t;
-		type user_cron_spool_t, crond_t;
+		type $2_crontab_t, crontab_exec_t;
+		type $2_cron_spool_t, crond_t;
 		bool cron_userdomain_transition;
 	')
 
@@ -68,138 +78,42 @@ interface(`cron_role',`
 	# Declarations
 	#
 
-	role $1 types { cronjob_t crontab_t };
+	role $1 types { $2_crontab_t };
 
 	##############################
 	#
 	# Local policy
 	#
 
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
+	domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
 
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+	dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
+	allow $2_t crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	allow $2_t $2_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
+	allow $2_t $2_crontab_t:process { ptrace signal_perms };
+	ps_process_pattern($2_t, $2_crontab_t)
 
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
+	corecmd_exec_bin($2_crontab_t)
+	corecmd_exec_shell($2_crontab_t)
 
 	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
+		allow crond_t $2_t:process transition;
+		allow crond_t $2_t:fd use;
+		allow crond_t $2_t:key manage_key_perms;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+		allow $2_t $2_cron_spool_t:file entrypoint;
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
+		allow $2_t crond_t:fifo_file rw_fifo_file_perms;
 	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+		dontaudit crond_t $2_t:process transition;
+		dontaudit crond_t $2_t:fd use;
+		dontaudit crond_t $2_t:key manage_key_perms;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+		dontaudit $2_t $2_cron_spool_t:file entrypoint;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
-
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
-
-		dbus_stub(cronjob_t)
-
-		allow cronjob_t $2:dbus send_msg;
-	')
-')
-
-########################################
-## <summary>
-##	Role access for unconfined cron.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`cron_unconfined_role',`
-	gen_require(`
-		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	role $1 types { unconfined_cronjob_t crontab_t };
-
-	##############################
-	#
-	# Local policy
-	#
-
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
-
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
-
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
-
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
-
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, unconfined_cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
-
-		dontaudit $2 user_cron_spool_t:file entrypoint;
-
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
-
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
-
-		dbus_stub(unconfined_cronjob_t)
-
-		allow unconfined_cronjob_t $2:dbus send_msg;
+		dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
 	')
 ')
 
@@ -968,3 +882,21 @@ interface(`cron_manage_system_spool',`
 	files_search_spool($1)
 	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
 ')
+
+########################################
+## <summary>
+##      Access temporary files crond creates for script output
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`read_write_crond_tmp',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	allow $1 crond_tmp_t:file rw_file_perms;
+')
Index: refpolicy/policy/modules/contrib/sysstat.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/sysstat.te
+++ refpolicy/policy/modules/contrib/sysstat.te
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_ov
 allow sysstat_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
 logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
 kernel_read_rpc_sysctls(sysstat_t)
 
 corecmd_exec_bin(sysstat_t)
+corecmd_exec_shell(sysstat_t)
 
 dev_read_sysfs(sysstat_t)
+dev_getattr_sysfs(sysstat_t)
 dev_read_urand(sysstat_t)
 
 files_search_var(sysstat_t)
 files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
 
 fs_getattr_xattr_fs(sysstat_t)
 fs_list_inotifyfs(sysstat_t)
@@ -66,4 +68,5 @@ userdom_dontaudit_list_user_home_dirs(sy
 
 optional_policy(`
 	cron_system_entry(sysstat_t, sysstat_exec_t)
+	read_write_crond_tmp(sysstat_t)
 ')
Index: refpolicy/policy/modules/contrib/dirmngr.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/dirmngr.fc
+++ refpolicy/policy/modules/contrib/dirmngr.fc
@@ -7,6 +7,7 @@
 /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
 
 /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
+/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
 
 /var/run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
 
Index: refpolicy/policy/modules/contrib/xen.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/xen.te
+++ refpolicy/policy/modules/contrib/xen.te
@@ -85,6 +85,9 @@ files_mountpoint(xend_var_lib_t)
 type xend_var_log_t;
 logging_log_file(xend_var_log_t)
 
+type xen_lock_t;
+files_lock_file(xen_lock_t)
+
 type xend_var_run_t;
 files_pid_file(xend_var_run_t)
 files_mountpoint(xend_var_run_t)
@@ -173,6 +176,9 @@ allow xend_t self:tcp_socket { accept li
 allow xend_t self:packet_socket create_socket_perms;
 allow xend_t self:tun_socket create_socket_perms;
 
+# for lsscsi
+storage_getattr_fixed_disk_dev(xend_t)
+
 allow xend_t xen_image_t:dir list_dir_perms;
 manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
 manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t)
@@ -219,6 +225,7 @@ domtrans_pattern(xend_t, xenstored_exec_
 xen_stream_connect_xenstore(xend_t)
 
 kernel_read_kernel_sysctls(xend_t)
+kernel_read_vm_sysctls(xend_t)
 kernel_read_system_state(xend_t)
 kernel_write_xen_state(xend_t)
 kernel_read_xen_state(xend_t)
@@ -450,6 +457,7 @@ dev_read_sysfs(xenstored_t)
 
 files_read_etc_files(xenstored_t)
 files_read_usr_files(xenstored_t)
+corecmd_search_bin(xenstored_t)
 
 fs_search_xenfs(xenstored_t)
 fs_manage_xenfs_files(xenstored_t)
@@ -470,12 +478,26 @@ xen_append_log(xenstored_t)
 # xm local policy
 #
 
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
+allow xm_t self:capability { dac_override setpcap net_admin ipc_lock sys_nice sys_tty_config };
+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
 allow xm_t self:fifo_file rw_fifo_file_perms;
 allow xm_t self:unix_stream_socket { accept connectto listen };
 allow xm_t self:tcp_socket { accept listen };
 
+allow xm_t xend_var_run_t:dir rw_dir_perms;
+
+files_lock_filetrans(xm_t, xen_lock_t, file)
+allow xm_t xen_lock_t:file manage_file_perms;
+domain_use_interactive_fds(xm_t)
+
+userdom_dontaudit_search_user_home_content(xm_t)
+
+# for vif-bridge to write to /run/xen-hotplug/iptables
+# maybe we need a different label for /run/xen-hotplug
+udev_manage_pid_files(xm_t)
+
+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
+
 manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -494,12 +516,16 @@ xen_stream_connect_xenstore(xm_t)
 
 can_exec(xm_t, xm_exec_t)
 
+kernel_load_module(xm_t)
+kernel_request_load_module(xm_t)
+files_read_kernel_img(xm_t)
 kernel_read_system_state(xm_t)
 kernel_read_network_state(xm_t)
 kernel_read_kernel_sysctls(xm_t)
 kernel_read_sysctl(xm_t)
 kernel_read_xen_state(xm_t)
 kernel_write_xen_state(xm_t)
+sysnet_domtrans_ifconfig(xm_t)
 
 corecmd_exec_bin(xm_t)
 corecmd_exec_shell(xm_t)
@@ -563,6 +589,21 @@ tunable_policy(`xen_use_samba',`
 ')
 
 optional_policy(`
+	unconfined_run_to(xm_t, xm_exec_t)
+')
+
+optional_policy(`
+	qemu_domtrans(xm_t)
+	qemu_signal(xm_t)
+	qemu_stream_connect(xm_t)
+	qemu_unlink_socket(xm_t)
+')
+
+optional_policy(`
+	iptables_domtrans(xm_t)
+')
+
+optional_policy(`
 	cron_system_entry(xm_t, xm_exec_t)
 ')
 
Index: refpolicy/policy/modules/system/udev.te
===================================================================
--- refpolicy.orig/policy/modules/system/udev.te
+++ refpolicy/policy/modules/system/udev.te
@@ -15,6 +15,8 @@ domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
 
+init_domtrans_script(udev_t)
+
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
@@ -27,6 +29,7 @@ files_type(udev_rules_t)
 type udev_var_run_t;
 files_pid_file(udev_var_run_t)
 init_daemon_pid_file(udev_var_run_t, dir, "udev")
+files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup")
 
 ifdef(`enable_mcs',`
 	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -58,6 +61,9 @@ allow udev_t self:netlink_generic_socket
 allow udev_t self:rawip_socket create_socket_perms;
 fs_read_cgroup_files(udev_t)
 
+# for systemd-udevd to rename interfaces
+allow udev_t self:netlink_route_socket nlmsg_write;
+
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
 
@@ -185,6 +191,7 @@ sysnet_delete_dhcpc_pid(udev_t)
 sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
+sysnet_var_run_dirtrans_config(udev_t, "network")
 
 systemd_read_logind_sessions_files(udev_t)
 init_start_all_units(udev_t)
@@ -193,6 +200,9 @@ init_stop_all_units(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
+	# for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
+	files_read_default_files(udev_t)
+
 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
 
 	optional_policy(`
@@ -208,6 +218,11 @@ ifdef(`distro_debian',`
 	')
 ')
 
+optional_policy(`
+	# for systemd-udevd when starting xen domu
+	virt_read_config(udev_t)
+')
+
 ifdef(`distro_gentoo',`
 	# during boot, init scripts use /dev/.rcsysinit
 	# existence to determine if we are in early booting
@@ -347,6 +362,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
+	fs_manage_xenfs_files(udev_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/system/fstools.te
===================================================================
--- refpolicy.orig/policy/modules/system/fstools.te
+++ refpolicy/policy/modules/system/fstools.te
@@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
 
+# for /run/mount/utab
+stat_mount_var_run(fsadm_t)
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
@@ -207,6 +210,10 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(fsadm_t)
+
+	# Xen causes losetup to run with a presumably accidentally inherited
+	# file handle for /run/xen-hotplug/block
+	dontaudit_udev_pidfile_rw(fsadm_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/system/udev.if
===================================================================
--- refpolicy.orig/policy/modules/system/udev.if
+++ refpolicy/policy/modules/system/udev.if
@@ -299,6 +299,24 @@ interface(`udev_list_pids',`
 
 ########################################
 ## <summary>
+##	dontaudit attempts to read/write udev pidfiles
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dontaudit_udev_pidfile_rw',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	dontaudit $1 udev_var_run_t:file { read write };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid directories
 ## </summary>
Index: refpolicy/policy/modules/contrib/apt.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/apt.if
+++ refpolicy/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
 ##	</summary>
 ## </param>
 #
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`apt_read_cache',`
 	gen_require(`
 		type apt_var_cache_t;
Index: refpolicy/policy/modules/contrib/cron.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.te
+++ refpolicy/policy/modules/contrib/cron.te
@@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false)
 ##	the generic cronjob domain.
 ##	</p>
 ## </desc>
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_userdomain_transition, true)
 
 ## <desc>
 ##	<p>
@@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t)
 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
 
-cron_common_crontab_template(admin_crontab)
-typealias admin_crontab_t alias sysadm_crontab_t;
-typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
-
-cron_common_crontab_template(crontab)
-typealias crontab_t alias { user_crontab_t staff_crontab_t };
-typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
-typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
-typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+cron_common_crontab_template(sysadm)
+typealias sysadm_crontab_t alias admin_crontab_t;
+typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
+
+cron_common_crontab_template(user)
+cron_common_crontab_template(staff)
+cron_common_crontab_template(unconfined)
+typealias user_crontab_t alias { crontab_t };
+typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
 
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
@@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t)
 type system_cronjob_var_run_t;
 files_pid_file(system_cronjob_var_run_t)
 
-type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
-typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
-ubac_constrained(user_cron_spool_t)
-mta_system_content(user_cron_spool_t)
+typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
 
 type user_cron_spool_log_t;
 logging_log_file(user_cron_spool_log_t)
@@ -142,9 +138,6 @@ allow crontab_domain self:capability { f
 allow crontab_domain self:process { getcap setsched signal_perms };
 allow crontab_domain self:fifo_file rw_fifo_file_perms;
 
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
 allow crontab_domain cron_spool_t:dir setattr_dir_perms;
 
 allow crontab_domain crond_t:process signal;
@@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',`
 # Daemon local policy
 #
 
-allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
+dontaudit crond_t self:capability { sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
@@ -230,6 +223,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
+allow crond_t cron_spool_type:file read_file_perms;
 allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(crond_t, cron_log_t, file)
 
@@ -340,6 +334,22 @@ ifdef(`distro_debian',`
 	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
+	optional_policy(`
+		apt_manage_cache(system_cronjob_t)
+		apt_read_db(system_cronjob_t)
+	')
+')
+
+optional_policy(`
+	acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+	ntp_admin(system_cronjob_t, system_r)
+')
+
+optional_policy(`
+	apache_unlink_var_lib(system_cronjob_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -429,6 +439,7 @@ optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
+	initrc_manage_service(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -440,14 +451,15 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+logging_manage_generic_logs(system_cronjob_t)
 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -464,7 +476,7 @@ files_lock_filetrans(system_cronjob_t, s
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
 
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
@@ -475,7 +487,8 @@ allow system_cronjob_t crond_t:process s
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
@@ -567,6 +580,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	read_mrtg_etc(system_cronjob_t)
+')
+
+optional_policy(`
 	cyrus_manage_data(system_cronjob_t)
 ')
 
@@ -719,27 +736,3 @@ optional_policy(`
 	nis_use_ypbind(cronjob_t)
 ')
 
-########################################
-#
-# Unconfined local policy
-#
-
-type unconfined_cronjob_t;
-domain_type(unconfined_cronjob_t)
-domain_cron_exemption_target(unconfined_cronjob_t)
-
-dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
-
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit crond_t unconfined_cronjob_t:process transition;
-	dontaudit crond_t unconfined_cronjob_t:fd use;
-	dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
-',`
-	allow crond_t unconfined_cronjob_t:process transition;
-	allow crond_t unconfined_cronjob_t:fd use;
-	allow crond_t unconfined_cronjob_t:key manage_key_perms;
-')
-
-optional_policy(`
-	unconfined_domain(unconfined_cronjob_t)
-')
Index: refpolicy/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.if
+++ refpolicy/policy/modules/contrib/ntp.if
@@ -18,6 +18,23 @@ interface(`ntp_stub',`
 
 ########################################
 ## <summary>
+##	Read ntp.conf
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_conf',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+	allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/system/init.te
===================================================================
--- refpolicy.orig/policy/modules/system/init.te
+++ refpolicy/policy/modules/system/init.te
@@ -165,6 +165,7 @@ corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+logging_create_devlog_dev(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
 
@@ -389,7 +390,7 @@ optional_policy(`
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
 allow initrc_t self:capability ~{ sys_admin sys_module };
-allow initrc_t self:capability2 block_suspend;
+allow initrc_t self:capability2 { wake_alarm block_suspend };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
@@ -1331,6 +1332,7 @@ ifdef(`init_systemd',`
 	allow init_t self:process { getcap setcap };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
 	# Until systemd is fixed
 	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
 	allow init_t self:udp_socket create_socket_perms;
@@ -1411,6 +1413,7 @@ ifdef(`init_systemd',`
 
 	systemd_manage_unit_dirs(init_t)
 	systemd_manage_all_unit_files(init_t)
+	systemd_manage_lnk_file_passwd_run(init_t)
 
 	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
 
Index: refpolicy/policy/modules/system/systemd.if
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.if
+++ refpolicy/policy/modules/system/systemd.if
@@ -828,3 +828,20 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_var_run_t:file read_file_perms;
 ')
 
+######################################
+## <summary>
+##  Allow to domain to create systemd-passwd symlink
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_manage_lnk_file_passwd_run',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
+')
Index: refpolicy/policy/modules/contrib/clamav.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/clamav.te
+++ refpolicy/policy/modules/contrib/clamav.te
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
 # Clamd local policy
 #
 
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
 allow clamd_t self:process signal;
 allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -107,6 +107,9 @@ kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
 kernel_read_kernel_sysctls(clamd_t)
 kernel_read_system_state(clamd_t)
+kernel_read_vm_sysctls(clamd_t)
+kernel_read_vm_overcommit_sysctl(clamd_t)
+dev_read_sysfs(clamd_t)
 
 corecmd_exec_shell(clamd_t)
 
@@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(fre
 corenet_tcp_connect_http_port(freshclam_t)
 corenet_tcp_sendrecv_http_port(freshclam_t)
 
+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
 corenet_sendrecv_squid_client_packets(freshclam_t)
 corenet_tcp_connect_squid_port(freshclam_t)
 corenet_tcp_sendrecv_squid_port(freshclam_t)
Index: refpolicy/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dpkg.te
+++ refpolicy/policy/modules/contrib/dpkg.te
@@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
 domain_interactive_fd(dpkg_script_t)
 role dpkg_roles types dpkg_script_t;
 
+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+
 type dpkg_script_tmp_t;
 files_tmp_file(dpkg_script_tmp_t)
 
@@ -205,7 +208,7 @@ optional_policy(`
 # Script Local policy
 #
 
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid ipc_lock sys_chroot sys_nice mknod setfcap };
 allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow dpkg_script_t self:fd use;
 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
@@ -335,6 +338,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_logind_read_process_state(dpkg_script_t)
+	systemd_dbus_chat_logind(dpkg_script_t)
+')
+
+optional_policy(`
 	unconfined_domain(dpkg_script_t)
 ')
 
Index: refpolicy/policy/modules/kernel/devices.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/devices.if
+++ refpolicy/policy/modules/kernel/devices.if
@@ -589,6 +589,24 @@ interface(`dev_getattr_generic_chr_files
 
 ########################################
 ## <summary>
+##	Allow setattr for generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	Dontaudit getattr for generic character device files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
@@ -267,6 +267,7 @@ dev_create_generic_blk_files(kernel_t)
 dev_delete_generic_blk_files(kernel_t)
 dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 
 # Mount root file system. Used when loading a policy
Index: refpolicy/policy/modules/contrib/postfix.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/postfix.te
+++ refpolicy/policy/modules/contrib/postfix.te
@@ -172,6 +172,7 @@ optional_policy(`
 #
 
 allow postfix_server_domain self:capability { setuid setgid dac_override };
+allow postfix_master_t self:process getsched;
 
 allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
@@ -234,6 +235,8 @@ manage_files_pattern(postfix_master_t, p
 manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
 
+hostname_exec(postfix_master_t)
+
 create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -272,6 +275,7 @@ corenet_udp_sendrecv_generic_node(postfi
 corenet_tcp_sendrecv_all_ports(postfix_master_t)
 corenet_udp_sendrecv_all_ports(postfix_master_t)
 corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
 
 corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
 corenet_tcp_bind_amavisd_send_port(postfix_master_t)
@@ -326,6 +330,11 @@ optional_policy(`
 
 optional_policy(`
 	mailman_manage_data_files(postfix_master_t)
+	mailman_search_data(postfix_pipe_t)
+')
+
+optional_policy(`
+	milter_getattr_data_dir(postfix_master_t)
 ')
 
 optional_policy(`
@@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process set
 
 allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
 allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
 
 allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
 allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -400,6 +410,10 @@ optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')
 
+optional_policy(`
+	dkim_stream_connect(postfix_cleanup_t)
+')
+
 ########################################
 #
 # Local local policy
@@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail
 optional_policy(`
 	clamav_search_lib(postfix_local_t)
 	clamav_exec_clamscan(postfix_local_t)
+	clamav_stream_connect(postfix_smtpd_t)
 ')
 
 optional_policy(`
@@ -557,6 +572,10 @@ domtrans_pattern(postfix_pipe_t, postfix
 
 corecmd_exec_bin(postfix_pipe_t)
 
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+
+
 optional_policy(`
 	dovecot_domtrans_deliver(postfix_pipe_t)
 ')
@@ -567,6 +586,7 @@ optional_policy(`
 
 optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
+	mailman_domtrans(postfix_pipe_t)
 ')
 
 optional_policy(`
@@ -596,6 +616,10 @@ manage_files_pattern(postfix_postdrop_t,
 
 allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
 
+# for /var/spool/postfix/public/pickup
+allow postfix_postdrop_t postfix_public_t:sock_file { getattr write };
+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
+
 mcs_file_read_all(postfix_postdrop_t)
 mcs_file_write_all(postfix_postdrop_t)
 
@@ -654,6 +678,10 @@ optional_policy(`
 	ppp_sigchld(postfix_postqueue_t)
 ')
 
+optional_policy(`
+	userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
 ########################################
 #
 # Qmgr local policy
Index: refpolicy/policy/modules/contrib/bind.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/bind.te
+++ refpolicy/policy/modules/contrib/bind.te
@@ -112,6 +112,9 @@ allow named_t named_zone_t:dir list_dir_
 read_files_pattern(named_t, named_zone_t, named_zone_t)
 read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 
+files_read_usr_files(named_t)
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
 kernel_read_kernel_sysctls(named_t)
 kernel_read_vm_overcommit_sysctl(named_t)
 kernel_read_system_state(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
 #
 
 allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
 allow ndc_t self:process signal_perms;
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
Index: refpolicy/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy/policy/modules/contrib/kerneloops.te
@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
 
 kernel_read_ring_buffer(kerneloops_t)
 kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)
 
 domain_use_interactive_fds(kerneloops_t)
 
Index: refpolicy/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy.orig/policy/modules/admin/bootloader.te
+++ refpolicy/policy/modules/admin/bootloader.te
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
 # bootloader local policy
 #
 
-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_override dac_read_search fsetid setgid sys_rawio sys_admin mknod chown };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
@@ -65,6 +65,9 @@ kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
 
+# for grub-probe
+kernel_request_load_module(bootloader_t)
+
 storage_raw_read_fixed_disk(bootloader_t)
 storage_raw_write_fixed_disk(bootloader_t)
 storage_raw_read_removable_device(bootloader_t)
@@ -149,6 +152,11 @@ ifdef(`distro_debian',`
 	fstools_relabelto_entry_files(bootloader_t)
 
 	libs_relabelto_lib_files(bootloader_t)
+
+	# for apt-cache
+	dpkg_read_db(bootloader_t)
+	apt_read_db(bootloader_t)
+	apt_read_cache(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy/policy/modules/services/ssh.te
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.te
+++ refpolicy/policy/modules/services/ssh.te
@@ -250,6 +250,8 @@ optional_policy(`
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
 
+allow sshd_t self:capability net_admin;
+
 allow sshd_t sshd_keytab_t:file read_file_perms;
 
 manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
Index: refpolicy/policy/modules/contrib/gpg.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/gpg.te
+++ refpolicy/policy/modules/contrib/gpg.te
@@ -223,6 +223,11 @@ manage_sock_files_pattern(gpg_agent_t, g
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 
+xdm_sigchld(gpg_agent_t)
+dbus_system_bus_client(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+xserver_read_user_xauth(gpg_agent_t)
+
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
Index: refpolicy/policy/modules/services/xserver.if
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.if
+++ refpolicy/policy/modules/services/xserver.if
@@ -1423,3 +1423,21 @@ interface(`xserver_dbus_chat',`
 	allow $1 xserver_t:dbus send_msg;
 	allow xserver_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Allow domain to send sigchld to xdm_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdm_sigchld',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process sigchld;
+')
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.if
+++ refpolicy/policy/modules/system/userdomain.if
@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	optional_policy(`
+		kerneloops_dbus_chat($1_t)
+	')
+
+	optional_policy(`
+		devicekit_dbus_chat_disk($1_t)
+		devicekit_dbus_chat_power($1_t)
+	')
 ')
 
 #######################################
Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te
+++ refpolicy/policy/modules/system/selinuxutil.te
@@ -452,6 +452,8 @@ allow semanage_t policy_config_t:file rw
 
 filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
 
+allow semanage_t policy_src_t:dir search;
+
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -545,6 +547,7 @@ kernel_rw_unix_dgram_sockets(setfiles_t)
 kernel_dontaudit_list_all_proc(setfiles_t)
 kernel_dontaudit_list_all_sysctls(setfiles_t)
 
+dev_read_urand(setfiles_t)
 dev_relabel_all_dev_nodes(setfiles_t)
 # to handle when /dev/console needs to be relabeled
 dev_rw_generic_chr_files(setfiles_t)
Index: refpolicy/policy/modules/system/miscfiles.fc
===================================================================
--- refpolicy.orig/policy/modules/system/miscfiles.fc
+++ refpolicy/policy/modules/system/miscfiles.fc
@@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
-/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_debian',`
Index: refpolicy/policy/modules/contrib/dovecot.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/dovecot.fc
+++ refpolicy/policy/modules/contrib/dovecot.fc
@@ -19,6 +19,9 @@
 /usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/lib/dovecot/dovecot-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/log	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/ssl-params	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/anvil	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
 
 /usr/libexec/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/libexec/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
Index: refpolicy/policy/modules/system/locallogin.te
===================================================================
--- refpolicy.orig/policy/modules/system/locallogin.te
+++ refpolicy/policy/modules/system/locallogin.te
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
 # Local login local policy
 #
 
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_admin sys_nice sys_resource sys_tty_config };
 allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow local_login_t self:process { setrlimit setexec };
 allow local_login_t self:fd use;
@@ -240,6 +240,9 @@ fs_rw_tmpfs_chr_files(sulogin_t)
 files_read_etc_files(sulogin_t)
 
 auth_read_shadow(sulogin_t)
+auth_login_pgm_domain(sulogin_t)
+kernel_read_crypto_sysctls(sulogin_t)
+selinux_set_generic_booleans(sulogin_t)
 
 init_getpgid_script(sulogin_t)
 
Index: refpolicy/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy/policy/modules/system/sysnetwork.fc
@@ -42,6 +42,7 @@ ifdef(`distro_redhat',`
 /sbin/dhclient.*	--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/dhcdbd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/usr/sbin/dhcp6c	--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -66,11 +67,13 @@ ifdef(`distro_redhat',`
 /var/lib/dhcp3?		-d	gen_context(system_u:object_r:dhcp_state_t,s0)
 /var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpv6(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)
 
 /var/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcp6c.pid	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
 /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -78,5 +81,6 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolvconf/.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
Index: refpolicy/policy/modules/system/getty.te
===================================================================
--- refpolicy.orig/policy/modules/system/getty.te
+++ refpolicy/policy/modules/system/getty.te
@@ -34,7 +34,7 @@ files_pid_file(getty_var_run_t)
 
 # Use capabilities.
 allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid };
-dontaudit getty_t self:capability sys_tty_config;
+dontaudit getty_t self:capability { sys_admin sys_tty_config };
 allow getty_t self:process { getpgid setpgid getsession signal_perms };
 allow getty_t self:fifo_file rw_fifo_file_perms;
 
Index: refpolicy/policy/modules/contrib/gnome.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/gnome.te
+++ refpolicy/policy/modules/contrib/gnome.te
@@ -94,6 +94,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
 userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
 userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
 
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
 optional_policy(`
 	dbus_all_session_domain(gconfd_t, gconfd_exec_t)
 
Index: refpolicy/policy/modules/system/mount.if
===================================================================
--- refpolicy.orig/policy/modules/system/mount.if
+++ refpolicy/policy/modules/system/mount.if
@@ -209,3 +209,21 @@ interface(`mount_rw_loopback_files',`
 
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Getattr on mount_var_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`stat_mount_var_run',`
+	gen_require(`
+		type mount_var_run_t;
+	')
+
+	allow $1 mount_var_run_t:file getattr;
+')
Index: refpolicy/policy/modules/contrib/dovecot.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dovecot.te
+++ refpolicy/policy/modules/contrib/dovecot.te
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_doma
 # Local policy
 #
 
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot sys_resource };
 dontaudit dovecot_t self:capability sys_tty_config;
 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
 allow dovecot_t self:tcp_socket { accept listen };
@@ -133,6 +133,9 @@ allow dovecot_t dovecot_auth_t:process s
 
 domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 
+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
+
 corenet_all_recvfrom_unlabeled(dovecot_t)
 corenet_all_recvfrom_netlabel(dovecot_t)
 corenet_tcp_sendrecv_generic_if(dovecot_t)
@@ -242,9 +245,14 @@ files_tmp_filetrans(dovecot_auth_t, dove
 
 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
 manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
 
 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
+selinux_get_enforce_mode(dovecot_auth_t)
+selinux_get_fs_mount(dovecot_auth_t)
+
 files_search_pids(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
@@ -256,7 +264,7 @@ init_rw_utmp(dovecot_auth_t)
 
 logging_send_audit_msgs(dovecot_auth_t)
 
-seutil_dontaudit_search_config(dovecot_auth_t)
+seutil_search_default_contexts(dovecot_auth_t)
 
 sysnet_use_ldap(dovecot_auth_t)
 
Index: refpolicy/policy/modules/contrib/dkim.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dkim.te
+++ refpolicy/policy/modules/contrib/dkim.te
@@ -20,16 +20,25 @@ init_daemon_pid_file(dkim_milter_data_t,
 # Local policy
 #
 
-allow dkim_milter_t self:capability { setgid setuid };
-allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:process { signal signull };
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
 
 kernel_read_kernel_sysctls(dkim_milter_t)
+kernel_read_vm_sysctls(dkim_milter_t)
+kernel_read_vm_overcommit_sysctl(dkim_milter_t)
+
+# for cpu/online
+dev_read_sysfs(dkim_milter_t)
 
 dev_read_urand(dkim_milter_t)
 
 files_search_spool(dkim_milter_t)
 
 mta_read_config(dkim_milter_t)
+
+corenet_udp_bind_generic_node(dkim_milter_t)
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
Index: refpolicy/policy/modules/contrib/perdition.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/perdition.fc
+++ refpolicy/policy/modules/contrib/perdition.fc
@@ -2,6 +2,6 @@
 
 /etc/perdition(/.*)?	gen_context(system_u:object_r:perdition_etc_t,s0)
 
-/usr/sbin/perdition	--	gen_context(system_u:object_r:perdition_exec_t,s0)
+/usr/sbin/perdition.*	--	gen_context(system_u:object_r:perdition_exec_t,s0)
 
 /var/run/perdition\.pid	--	gen_context(system_u:object_r:perdition_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/nagios.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/nagios.te
+++ refpolicy/policy/modules/contrib/nagios.te
@@ -214,12 +214,15 @@ optional_policy(`
 # Nrpe local policy
 #
 
-allow nrpe_t self:capability { setuid setgid };
+allow nrpe_t self:capability { dac_override setuid setgid };
 dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
 allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
 allow nrpe_t self:fifo_file rw_fifo_file_perms;
 allow nrpe_t self:tcp_socket { accept listen };
 
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
 allow nrpe_t nagios_plugin_domain:process { signal sigkill };
 
 read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
Index: refpolicy/policy/modules/contrib/apache.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.te
+++ refpolicy/policy/modules/contrib/apache.te
@@ -282,6 +282,7 @@ type httpd_helper_t;
 type httpd_helper_exec_t;
 application_domain(httpd_helper_t, httpd_helper_exec_t)
 role httpd_helper_roles types httpd_helper_t;
+init_rw_inherited_script_tmp_files(httpd_t)
 
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
@@ -402,14 +403,12 @@ read_lnk_files_pattern(httpd_t, httpd_co
 
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
+allow httpd_t httpd_lock_t:dir manage_dir_perms;
 allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
 
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
@@ -427,6 +426,8 @@ manage_lnk_files_pattern(httpd_t, httpd_
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +445,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +466,8 @@ domtrans_pattern(httpd_t, httpd_rotatelo
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
 kernel_read_network_state(httpd_t)
 kernel_read_system_state(httpd_t)
 kernel_search_network_sysctl(httpd_t)
@@ -594,6 +598,7 @@ tunable_policy(`httpd_builtin_scripting'
 tunable_policy(`httpd_enable_cgi',`
 	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
 	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+	allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -741,9 +746,8 @@ tunable_policy(`httpd_use_fusefs && http
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_nfs_dirs(httpd_t)
-	fs_manage_nfs_files(httpd_t)
-	fs_manage_nfs_symlinks(httpd_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1067,9 +1071,8 @@ tunable_policy(`httpd_use_fusefs && http
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_nfs_dirs(httpd_suexec_t)
-	fs_manage_nfs_files(httpd_suexec_t)
-	fs_manage_nfs_symlinks(httpd_suexec_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1217,8 +1220,11 @@ optional_policy(`
 #
 
 allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
+
 
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
@@ -1229,6 +1235,7 @@ allow httpd_sys_script_t squirrelmail_sp
 allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
 
 kernel_read_kernel_sysctls(httpd_sys_script_t)
+dev_read_sysfs(httpd_sys_script_t)
 
 fs_search_auto_mountpoints(httpd_sys_script_t)
 
@@ -1240,6 +1247,12 @@ apache_domtrans_rotatelogs(httpd_sys_scr
 
 auth_use_nsswitch(httpd_sys_script_t)
 
+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+	init_search_pid_dirs(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_can_sendmail',`
 	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
 	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1294,9 +1307,8 @@ tunable_policy(`httpd_use_fusefs && http
 
 tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_sys_script_t)
-	fs_manage_nfs_dirs(httpd_sys_script_t)
-	fs_manage_nfs_files(httpd_sys_script_t)
-	fs_manage_nfs_symlinks(httpd_sys_script_t)
+	rpc_manage_nfs_rw_content(httpd_t)
+	rpc_read_nfs_content(httpd_t)
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
Index: refpolicy/policy/modules/contrib/dkim.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/dkim.if
+++ refpolicy/policy/modules/contrib/dkim.if
@@ -34,3 +34,23 @@ interface(`dkim_admin',`
 	files_search_pids($1)
 	admin_pattern($1, dkim_milter_data_t)
 ')
+
+########################################
+## <summary>
+##	Allow a domain to talk to dkim via Unix domain socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+	gen_require(`
+		type dkim_milter_data_t, dkim_milter_t;
+	')
+
+	allow $1 dkim_milter_data_t:dir search_dir_perms;
+	allow postfix_cleanup_t dkim_milter_data_t:sock_file write;
+	allow postfix_cleanup_t dkim_milter_t:unix_stream_socket connectto;
+')
Index: refpolicy/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy.orig/policy/support/obj_perm_sets.spt
+++ refpolicy/policy/support/obj_perm_sets.spt
@@ -159,6 +159,7 @@ define(`exec_file_perms',`{ getattr open
 define(`append_file_perms',`{ getattr open append lock ioctl }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')
 define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
Index: refpolicy/policy/modules/contrib/perdition.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/perdition.te
+++ refpolicy/policy/modules/contrib/perdition.te
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
 # Local policy
 #
 
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { chown dac_override fowner setgid setuid };
 dontaudit perdition_t self:capability sys_tty_config;
 allow perdition_t self:process signal_perms;
 allow perdition_t self:tcp_socket { accept listen };
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file r
 allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
 
 manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
-files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+allow perdition_t perdition_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(perdition_t)
 kernel_list_proc(perdition_t)
@@ -46,11 +47,18 @@ corenet_tcp_sendrecv_generic_node(perdit
 corenet_tcp_sendrecv_all_ports(perdition_t)
 corenet_tcp_bind_generic_node(perdition_t)
 
+corenet_tcp_connect_pop_port(perdition_t)
 corenet_sendrecv_pop_server_packets(perdition_t)
 corenet_tcp_bind_pop_port(perdition_t)
 corenet_tcp_sendrecv_pop_port(perdition_t)
 
+corenet_tcp_connect_sieve_port(perdition_t)
+corenet_sendrecv_sieve_server_packets(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_sendrecv_sieve_port(perdition_t)
+
 dev_read_sysfs(perdition_t)
+dev_read_urand(perdition_t)
 
 domain_use_interactive_fds(perdition_t)
 
@@ -71,5 +79,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_tcp_connect(perdition_t)
+	mysql_stream_connect(perdition_t)
+')
+
+optional_policy(`
 	udev_read_db(perdition_t)
 ')
Index: refpolicy/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy/policy/modules/kernel/corecommands.fc
@@ -188,6 +188,7 @@ ifdef(`distro_gentoo',`
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
 
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -195,6 +196,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -234,6 +236,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -285,6 +288,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
+/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy/policy/modules/contrib/courier.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/courier.te
+++ refpolicy/policy/modules/contrib/courier.te
@@ -100,6 +100,7 @@ allow courier_authdaemon_t courier_tcpd_
 allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
 
 can_exec(courier_authdaemon_t, courier_exec_t)
+corecmd_exec_shell(courier_authdaemon_t)
 
 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
 
Index: refpolicy/policy/modules/contrib/milter.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/milter.te
+++ refpolicy/policy/modules/contrib/milter.te
@@ -94,8 +94,11 @@ mta_read_config(regex_milter_t)
 #
 
 allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+allow spamass_milter_t self:process sigkill;
 
 kernel_read_system_state(spamass_milter_t)
+kernel_read_vm_overcommit_sysctl(spamass_milter_t)
+dev_read_sysfs(spamass_milter_t)
 
 corecmd_exec_shell(spamass_milter_t)
 
@@ -106,3 +109,7 @@ mta_send_mail(spamass_milter_t)
 optional_policy(`
 	spamassassin_domtrans_client(spamass_milter_t)
 ')
+
+optional_policy(`
+	postfix_search_spool(spamass_milter_t)
+')
Index: refpolicy/policy/modules/contrib/procmail.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/procmail.fc
+++ refpolicy/policy/modules/contrib/procmail.fc
@@ -1,6 +1,7 @@
 HOME_DIR/\.procmailrc	--	gen_context(system_u:object_r:procmail_home_t,s0)
 
 /usr/bin/procmail	--	gen_context(system_u:object_r:procmail_exec_t,s0)
+/usr/bin/maildrop	--	gen_context(system_u:object_r:procmail_exec_t,s0)
 
 /var/log/procmail\.log.*	--	gen_context(system_u:object_r:procmail_log_t,s0)
 /var/log/procmail(/.*)?	gen_context(system_u:object_r:procmail_log_t,s0)
Index: refpolicy/policy/modules/contrib/courier.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/courier.if
+++ refpolicy/policy/modules/contrib/courier.if
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',
 #
 interface(`courier_stream_connect_authdaemon',`
 	gen_require(`
-		type courier_authdaemon_t, courier_spool_t;
+		type courier_authdaemon_t, courier_var_run_t;
 	')
 
 	files_search_spool($1)
-	stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+	stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
 ')
 
 ########################################
Index: refpolicy/policy/modules/contrib/procmail.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/procmail.te
+++ refpolicy/policy/modules/contrib/procmail.te
@@ -145,3 +145,8 @@ optional_policy(`
 	spamassassin_domtrans_client(procmail_t)
 	spamassassin_read_lib_files(procmail_t)
 ')
+
+optional_policy(`
+	courier_read_config(procmail_t)
+	courier_stream_connect_authdaemon(procmail_t)
+')
Index: refpolicy/policy/modules/contrib/spamassassin.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/spamassassin.te
+++ refpolicy/policy/modules/contrib/spamassassin.te
@@ -46,6 +46,7 @@ type spamc_exec_t;
 typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
 typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
 userdom_user_application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
 
 type spamc_tmp_t;
 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
Index: refpolicy/policy/modules/contrib/mta.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.te
+++ refpolicy/policy/modules/contrib/mta.te
@@ -200,10 +200,16 @@ term_dontaudit_use_unallocated_ttys(syst
 
 init_use_script_ptys(system_mail_t)
 init_rw_stream_sockets(system_mail_t)
+init_use_fds(system_mail_t)
 
 userdom_use_user_terminals(system_mail_t)
 
 optional_policy(`
+	permit_in_unconfined_r(system_mail_t)
+	unconfined_use_fds(system_mail_t)
+')
+
+optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
 	apache_dontaudit_append_log(system_mail_t)
@@ -234,6 +240,7 @@ optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
 	cron_rw_system_job_stream_sockets(system_mail_t)
+	read_write_crond_tmp(system_mail_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/contrib/apache.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.if
+++ refpolicy/policy/modules/contrib/apache.if
@@ -1343,3 +1343,23 @@ interface(`apache_admin',`
 	apache_run_all_scripts($1, $2)
 	apache_run_helper($1, $2)
 ')
+
+########################################
+## <summary>
+##	Unlink httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can unlink the files
+##	</summary>
+## </param>
+#
+interface(`apache_unlink_var_lib',`
+	gen_require(`
+		type httpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 httpd_var_lib_t:dir { write remove_name };
+	allow $1 httpd_var_lib_t:file unlink;
+')
Index: refpolicy/policy/modules/system/unconfined.if
===================================================================
--- refpolicy.orig/policy/modules/system/unconfined.if
+++ refpolicy/policy/modules/system/unconfined.if
@@ -21,7 +21,7 @@ interface(`unconfined_domain_noaudit',`
 
 	# Use most Linux capabilities
 	allow $1 self:capability ~sys_module;
-	allow $1 self:capability2 syslog;
+	allow $1 self:capability2 { syslog wake_alarm };
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
@@ -322,6 +322,23 @@ interface(`unconfined_run_to',`
 ')
 
 ########################################
+## <summary>
+##	Allow the specified domain to be in the unconfined role
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to permit in unconfined_r
+##	</summary>
+## </param>
+#
+interface(`permit_in_unconfined_r',`
+	gen_require(`
+		role unconfined_r;
+	')
+	role unconfined_r types $1;
+')
+
+########################################
 ## <summary>
 ##	Inherit file descriptors from the unconfined domain.
 ## </summary>
Index: refpolicy/policy/modules/contrib/xen.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/xen.fc
+++ refpolicy/policy/modules/contrib/xen.fc
@@ -14,7 +14,7 @@
 /usr/sbin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
 /usr/sbin/xl	--	gen_context(system_u:object_r:xm_exec_t,s0)
 /usr/sbin/xm	--	gen_context(system_u:object_r:xm_exec_t,s0)
-
+/usr/lib/xen-.*/xl --	gen_context(system_u:object_r:xm_exec_t,s0)
 /var/lib/xen(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xen/images(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
 /var/lib/xend(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
@@ -25,11 +25,13 @@
 /var/log/xen-hotplug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend-debug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/lock/xl		--	gen_context(system_u:object_r:xen_lock_t,s0)
 
 /var/run/evtchnd	-s	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
 /var/run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
 /var/run/xenconsoled\.pid	--	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /var/run/xend(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xen		-d	gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenner(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/apache.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.fc
+++ refpolicy/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /etc/httpd/modules	gen_context(system_u:object_r:httpd_modules_t,s0)
 /etc/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/mock/koji(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
 /etc/rc\.d/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
 /usr/sbin/apache(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/cgi-wrapper	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/cherokee	--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -111,6 +113,7 @@ ifdef(`distro_suse',`
 /var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/glpi(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -125,6 +128,7 @@ ifdef(`distro_suse',`
 /var/lib/stickshift/.httpd.d(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
 /var/lib/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/trac(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
 /var/log/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
Index: refpolicy/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.te
+++ refpolicy/policy/modules/contrib/ntp.te
@@ -53,6 +53,8 @@ allow ntpd_t self:process { signal_perms
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
 allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:socket create;
+allow ntpd_t self:unix_dgram_socket sendto;
 
 manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
@@ -64,9 +66,8 @@ read_files_pattern(ntpd_t, ntpd_key_t, n
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_dirs_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 
 manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
Index: refpolicy/policy/modules/contrib/squid.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/squid.fc
+++ refpolicy/policy/modules/contrib/squid.fc
@@ -4,17 +4,18 @@
 
 /usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 
-/usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.*	--	gen_context(system_u:object_r:squid_exec_t,s0)
 
 /usr/share/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
 
 /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
 
-/var/log/squid(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.*	gen_context(system_u:object_r:squid_log_t,s0)
 /var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
 
-/var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/run/squid3?\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/run/squid3(/.*)?	gen_context(system_u:object_r:squid_var_run_t,s0)
 
-/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.*	gen_context(system_u:object_r:squid_cache_t,s0)
 
 /var/squidGuard(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
Index: refpolicy/policy/modules/contrib/squid.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/squid.te
+++ refpolicy/policy/modules/contrib/squid.te
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
 ## </desc>
 gen_tunable(squid_use_tproxy, false)
 
+## <desc>
+##	<p>
+##	Determine whether squid can use the
+##	pinger daemon (needs raw net access)
+##	</p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
 type squid_t;
 type squid_exec_t;
 init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
 	corenet_tcp_sendrecv_all_ports(squid_t)
 ')
 
+tunable_policy(`squid_use_pinger',`
+	allow squid_t self:rawip_socket connected_socket_perms;
+	allow squid_t self:capability net_raw;
+')
+
 tunable_policy(`squid_use_tproxy',`
 	allow squid_t self:capability net_admin;
 	corenet_sendrecv_netport_server_packets(squid_t)
Index: refpolicy/policy/modules/contrib/qemu.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/qemu.te
+++ refpolicy/policy/modules/contrib/qemu.te
@@ -25,11 +25,20 @@ role qemu_roles types qemu_t;
 type qemu_unit_t;
 init_unit_file(qemu_unit_t)
 
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t);
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
+
 ########################################
 #
 # Local policy
 #
 
+kernel_read_crypto_sysctls(qemu_t)
+
+dev_read_sysfs(qemu_t)
+
 tunable_policy(`qemu_full_network',`
 	corenet_udp_sendrecv_generic_if(qemu_t)
 	corenet_udp_sendrecv_generic_node(qemu_t)
@@ -41,6 +50,16 @@ tunable_policy(`qemu_full_network',`
 ')
 
 optional_policy(`
+	fs_manage_xenfs_files(qemu_t)
+	xen_stream_connect_xenstore(qemu_t)
+	dev_rw_xen(qemu_t)
+	xen_append_log(qemu_t)
+	create_in_xend_var_run(qemu_t, qemu_var_run_t, sock_file)
+')
+optional_policy(`
+	permit_in_unconfined_r(qemu_t)
+')
+optional_policy(`
 	xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
 ')
 
Index: refpolicy/policy/modules/contrib/bind.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/bind.fc
+++ refpolicy/policy/modules/contrib/bind.fc
@@ -27,6 +27,7 @@
 /var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
 
 /var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 
 /var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
@@ -52,6 +53,7 @@
 /var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 
 /var/run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/lwresd/lwresd\.pid	gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/qemu.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/qemu.fc
+++ refpolicy/policy/modules/contrib/qemu.fc
@@ -6,3 +6,4 @@
 /usr/lib/systemd/system/[^/]*qemu-guest-agent.*	--	gen_context(system_u:object_r:qemu_unit_t,s0)
 
 /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/var/run/xen/qmp.*	--	gen_context(system_u:object_r:qemu_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/qemu.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/qemu.if
+++ refpolicy/policy/modules/contrib/qemu.if
@@ -374,3 +374,41 @@ interface(`qemu_entry_type',`
 
 	domain_entry_file($1, qemu_exec_t)
 ')
+
+########################################
+## <summary>
+##	Connect to qemu with a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_stream_connect',`
+	gen_require(`
+		type qemu_t, qemu_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
+')
+
+########################################
+## <summary>
+##	Unlink qemu socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_unlink_socket',`
+	gen_require(`
+		type qemu_t, qemu_var_run_t;
+	')
+
+	allow $1 qemu_var_run_t:sock_file unlink;
+')
Index: refpolicy/policy/modules/system/iptables.te
===================================================================
--- refpolicy.orig/policy/modules/system/iptables.te
+++ refpolicy/policy/modules/system/iptables.te
@@ -106,6 +106,10 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
+	permit_in_unconfined_r(iptables_t)
+')
+
+optional_policy(`
 	fail2ban_append_log(iptables_t)
 ')
 
@@ -153,4 +157,6 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(iptables_t)
+	# this is for iptables_t to inherit a file hande from xen vif-bridge
+	udev_manage_pid_files(iptables_t)
 ')
Index: refpolicy/policy/modules/contrib/xen.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/xen.if
+++ refpolicy/policy/modules/contrib/xen.if
@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
 
 ########################################
 ## <summary>
+##	Create in a xend_var_run_t directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##      <summary>
+##      The type of the object to be created.
+##      </summary>
+## </param>
+## <param name="object">
+##      <summary>
+##      The object class of the object being created.
+##      </summary>
+## </param>
+#
+interface(`create_in_xend_var_run',`
+	gen_require(`
+		type xend_var_run_t;
+	')
+
+	filetrans_pattern($1, xend_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Execute a domain transition to run xm.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/contrib/jabber.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/jabber.te
+++ refpolicy/policy/modules/contrib/jabber.te
@@ -73,21 +73,25 @@ allow jabberd_t self:capability dac_over
 dontaudit jabberd_t self:capability sys_tty_config;
 allow jabberd_t self:tcp_socket create_socket_perms;
 allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
 
 allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
 
 manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
 
 manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
 files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+miscfiles_read_all_certs(jabberd_t)
+domain_dontaudit_search_all_domains_state(jabberd_t)
 
 kernel_read_kernel_sysctls(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)
 
 corenet_sendrecv_jabber_client_server_packets(jabberd_t)
 corenet_tcp_bind_jabber_client_port(jabberd_t)
@@ -96,6 +100,7 @@ corenet_tcp_sendrecv_jabber_client_port(
 corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
 corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
 
 dev_read_rand(jabberd_t)
 
Index: refpolicy/policy/modules/contrib/iodine.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/iodine.te
+++ refpolicy/policy/modules/contrib/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_ex
 type iodined_initrc_exec_t;
 init_script_file(iodined_initrc_exec_t)
 
+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_ad
 allow iodined_t self:rawip_socket create_socket_perms;
 allow iodined_t self:tun_socket create_socket_perms;
 allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
 
 kernel_read_net_sysctls(iodined_t)
 kernel_read_network_state(iodined_t)
Index: refpolicy/policy/modules/contrib/openvpn.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/openvpn.fc
+++ refpolicy/policy/modules/contrib/openvpn.fc
@@ -5,6 +5,7 @@
 
 /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
 
+/etc/openvpn/openvpn-status\.log.* --	gen_context(system_u:object_r:openvpn_status_t,s0)
 /var/log/openvpn-status\.log.*	--	gen_context(system_u:object_r:openvpn_status_t,s0)
 /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
 
Index: refpolicy/policy/modules/contrib/mandb.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mandb.te
+++ refpolicy/policy/modules/contrib/mandb.te
@@ -28,6 +28,7 @@ allow mandb_t self:unix_stream_socket cr
 
 kernel_read_kernel_sysctls(mandb_t)
 kernel_read_system_state(mandb_t)
+fs_getattr_xattr_fs(mandb_t)
 
 corecmd_exec_bin(mandb_t)
 corecmd_exec_shell(mandb_t)
@@ -42,6 +43,10 @@ miscfiles_manage_man_cache(mandb_t)
 miscfiles_read_man_pages(mandb_t)
 miscfiles_read_localization(mandb_t)
 
+ifdef(`init_systemd',`
+	init_search_pid_dirs(mandb_t)
+')
+
 ifdef(`distro_debian',`
 	optional_policy(`
 		apt_exec(mandb_t)
Index: refpolicy/policy/modules/contrib/mailman.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mailman.te
+++ refpolicy/policy/modules/contrib/mailman.te
@@ -92,6 +92,27 @@ miscfiles_read_localization(mailman_doma
 #
 
 dev_read_urand(mailman_cgi_t)
+miscfiles_read_localization(mailman_cgi_t)
+corecmd_exec_bin(mailman_cgi_t)
+kernel_read_crypto_sysctls(mailman_cgi_t)
+
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
+
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+kernel_read_system_state(mailman_cgi_t)
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+logging_search_logs(mailman_cgi_t)
+
+files_search_locks(mailman_cgi_t)
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
 
 term_use_controlling_term(mailman_cgi_t)
 
@@ -118,10 +139,43 @@ optional_policy(`
 allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
 allow mailman_mail_t self:process { signal signull };
 
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+logging_search_logs(mailman_mail_t)
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+allow mailman_mail_t self:process setsched;
+
+kernel_read_system_state(mailman_mail_t)
+miscfiles_read_localization(mailman_mail_t)
+
+domain_auto_transition_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
+
 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
 
+files_search_locks(mailman_mail_t)
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
 corenet_sendrecv_innd_client_packets(mailman_mail_t)
 corenet_tcp_connect_innd_port(mailman_mail_t)
 corenet_tcp_sendrecv_innd_port(mailman_mail_t)
@@ -129,13 +183,16 @@ corenet_tcp_sendrecv_innd_port(mailman_m
 corenet_sendrecv_spamd_client_packets(mailman_mail_t)
 corenet_tcp_connect_spamd_port(mailman_mail_t)
 corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
+corenet_tcp_connect_smtp_port(mailman_mail_t)
 
 dev_read_urand(mailman_mail_t)
+corecmd_exec_bin(mailman_mail_t)
 
 fs_rw_anon_inodefs_files(mailman_mail_t)
 
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
 mta_dontaudit_rw_queue(mailman_mail_t)
+inherit_mailserver_fd(mailman_mail_t)
 
 optional_policy(`
 	courier_read_spool(mailman_mail_t)
@@ -159,9 +216,30 @@ allow mailman_queue_t self:capability {
 allow mailman_queue_t self:process { setsched signal_perms };
 allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
 
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+files_search_locks(mailman_queue_t)
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
+
 corenet_sendrecv_innd_client_packets(mailman_queue_t)
 corenet_tcp_connect_innd_port(mailman_queue_t)
 corenet_tcp_sendrecv_innd_port(mailman_queue_t)
+read_write_crond_tmp(mailman_queue_t)
+miscfiles_read_localization(mailman_queue_t)
+
+kernel_read_system_state(mailman_queue_t)
 
 auth_domtrans_chk_passwd(mailman_queue_t)
 
Index: refpolicy/policy/modules/contrib/mta.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.if
+++ refpolicy/policy/modules/contrib/mta.if
@@ -286,6 +286,24 @@ interface(`mta_home_filetrans_mail_home_
 
 ########################################
 ## <summary>
+##	Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type for a list server or delivery agent that inherits fds
+##	</summary>
+## </param>
+#
+interface(`inherit_mailserver_fd',`
+	gen_require(`
+		attribute mailserver_domain;
+	')
+
+	allow $1 mailserver_domain:fd use;
+')
+
+########################################
+## <summary>
 ##	Make the specified type by a system MTA.
 ## </summary>
 ## <param name="type">
Index: refpolicy/policy/modules/contrib/mailman.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/mailman.fc
+++ refpolicy/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
 
 /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
 
-/usr/lib/mailman.*/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
 /var/lib/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
 
 /var/lock/mailman.*	gen_context(system_u:object_r:mailman_lock_t,s0)
 /var/lock/subsys/mailman.*	--	gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,13 +17,13 @@
 
 /var/spool/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
 
-/usr/lib/cgi-bin/mailman.*/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
-/usr/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
-/usr/share/doc/mailman.*/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
Index: refpolicy/policy/modules/system/authlogin.te
===================================================================
--- refpolicy.orig/policy/modules/system/authlogin.te
+++ refpolicy/policy/modules/system/authlogin.te
@@ -107,6 +107,8 @@ files_list_etc(chkpwd_t)
 kernel_read_crypto_sysctls(chkpwd_t)
 # is_selinux_enabled
 kernel_read_system_state(chkpwd_t)
+selinux_get_enforce_mode(chkpwd_t)
+selinux_getattr_fs(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
Index: refpolicy/policy/modules/contrib/webalizer.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/webalizer.te
+++ refpolicy/policy/modules/contrib/webalizer.te
@@ -22,6 +22,9 @@ files_tmp_file(webalizer_tmp_t)
 type webalizer_var_lib_t;
 files_type(webalizer_var_lib_t)
 
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
 ########################################
 #
 # Local policy
@@ -36,11 +39,15 @@ allow webalizer_t self:unix_stream_socke
 allow webalizer_t self:tcp_socket { accept listen };
 
 allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
 
 manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
 manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
 files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
 
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
 manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
 files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
 
Index: refpolicy/policy/modules/system/logging.if
===================================================================
--- refpolicy.orig/policy/modules/system/logging.if
+++ refpolicy/policy/modules/system/logging.if
@@ -494,6 +494,7 @@ interface(`logging_log_filetrans',`
 
 	files_search_var($1)
 	filetrans_pattern($1, var_log_t, $2, $3, $4)
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -690,6 +691,7 @@ interface(`logging_search_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir search_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 #######################################
@@ -727,6 +729,7 @@ interface(`logging_list_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 #######################################
@@ -746,6 +749,7 @@ interface(`logging_rw_generic_log_dirs',
 
 	files_search_var($1)
 	allow $1 var_log_t:dir rw_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 #######################################
@@ -841,6 +845,7 @@ interface(`logging_append_all_logs',`
 
 	files_search_var($1)
 	append_files_pattern($1, var_log_t, logfile)
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -983,6 +988,7 @@ interface(`logging_write_generic_logs',`
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
 	write_files_pattern($1, var_log_t, var_log_t)
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -1021,6 +1027,7 @@ interface(`logging_rw_generic_logs',`
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
 	rw_files_pattern($1, var_log_t, var_log_t)
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
Index: refpolicy/policy/modules/contrib/postfixpolicyd.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/postfixpolicyd.te
+++ refpolicy/policy/modules/contrib/postfixpolicyd.te
@@ -18,13 +18,18 @@ init_script_file(postfix_policyd_initrc_
 type postfix_policyd_var_run_t;
 files_pid_file(postfix_policyd_var_run_t)
 
+type postfix_policyd_tmp_t;
+files_type(postfix_policyd_tmp_t)
+
+
 ########################################
 #
 # Local policy
 #
 
-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
-allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:capability { chown sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:process { setrlimit signal signull };
+
 allow postfix_policyd_t self:tcp_socket { accept listen };
 
 allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
@@ -34,6 +39,9 @@ allow postfix_policyd_t postfix_policyd_
 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
 files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
 
+files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file })
+allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms;
+
 corenet_all_recvfrom_unlabeled(postfix_policyd_t)
 corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
 corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
@@ -49,9 +57,14 @@ corenet_tcp_sendrecv_mysqld_port(postfix
 
 files_read_etc_files(postfix_policyd_t)
 files_read_usr_files(postfix_policyd_t)
+corecmd_exec_bin(postfix_policyd_t)
+dev_read_urand(postfix_policyd_t)
 
 logging_send_syslog_msg(postfix_policyd_t)
 
 miscfiles_read_localization(postfix_policyd_t)
 
 sysnet_dns_name_resolve(postfix_policyd_t)
+
+kernel_search_network_sysctl(postfix_policyd_t)
+
Index: refpolicy/policy/modules/contrib/mrtg.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/mrtg.if
+++ refpolicy/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
 
 ########################################
 ## <summary>
+##	Read mrtg configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`read_mrtg_etc',`
+	gen_require(`
+		type mrtg_etc_t;
+	')
+
+	allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create and append mrtg log files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/contrib/postgrey.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/postgrey.te
+++ refpolicy/policy/modules/contrib/postgrey.te
@@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys
 allow postgrey_t self:process signal_perms;
 allow postgrey_t self:fifo_file create_fifo_file_perms;
 allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
+allow postgrey_t self:udp_socket { connect connected_socket_perms };
 
 allow postgrey_t postgrey_etc_t:dir list_dir_perms;
 allow postgrey_t postgrey_etc_t:file read_file_perms;
@@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey
 kernel_read_system_state(postgrey_t)
 kernel_read_kernel_sysctls(postgrey_t)
 
-corecmd_search_bin(postgrey_t)
+corecmd_read_bin_files(postgrey_t)
+corecmd_exec_bin(postgrey_t)
 
 corenet_all_recvfrom_unlabeled(postgrey_t)
 corenet_all_recvfrom_netlabel(postgrey_t)
Index: refpolicy/policy/modules/contrib/jabber.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/jabber.fc
+++ refpolicy/policy/modules/contrib/jabber.fc
@@ -8,18 +8,22 @@
 /usr/sbin/ejabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 /usr/sbin/ejabberdctl	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 /usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/prosody	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 
 /var/lock/ejabberdctl(/.*)	gen_context(system_u:object_r:jabberd_lock_t,s0)
 
 /var/log/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 /var/log/jabber(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 
 /var/lib/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/ejabberd/spool(/.*)?	gen_context(system_u:object_r:jabberd_spool_t,s0)
 /var/lib/jabber(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/jabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/lib/jabberd/log(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
 /var/lib/jabberd/pid(/.*)?	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 
+/var/run/prosody(/.*)?		gen_context(system_u:object_r:jabberd_var_run_t,s0)
 /var/run/ejabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
 /var/run/jabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/spamassassin.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/spamassassin.fc
+++ refpolicy/policy/modules/contrib/spamassassin.fc
@@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)?	gen_context(syste
 /var/log/mimedefang.*	--	gen_context(system_u:object_r:spamd_log_t,s0)
 
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/run/spamassassin\.pid --	gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
Index: refpolicy/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy.orig/policy/modules/admin/usermanage.te
+++ refpolicy/policy/modules/admin/usermanage.te
@@ -360,6 +360,12 @@ optional_policy(`
 	nscd_run(passwd_t, passwd_roles)
 ')
 
+optional_policy(`
+	# for dpkg to create users
+	permit_in_unconfined_r(passwd_t)
+	unconfined_use_fds(passwd_t)
+')
+
 ########################################
 #
 # Password admin local policy
Index: refpolicy/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -211,7 +211,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
+network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
 network_port(pptp, tcp,1723,s0, udp,1723,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -230,7 +230,7 @@ network_port(repository, tcp, 6363, s0)
 network_port(ricci, tcp,11111,s0, udp,11111,s0)
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0, udp,953,s0)
+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
 network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
Index: refpolicy/policy/modules/admin/netutils.te
===================================================================
--- refpolicy.orig/policy/modules/admin/netutils.te
+++ refpolicy/policy/modules/admin/netutils.te
@@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
 kernel_read_system_state(ping_t)
+dev_read_urand(ping_t)
 
 auth_use_nsswitch(ping_t)
 
Index: refpolicy/policy/modules/admin/dmesg.te
===================================================================
--- refpolicy.orig/policy/modules/admin/dmesg.te
+++ refpolicy/policy/modules/admin/dmesg.te
@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
 kernel_change_ring_buffer_level(dmesg_t)
 kernel_list_proc(dmesg_t)
 kernel_read_proc_symlinks(dmesg_t)
+dev_read_kmsg(dmesg_t)
+
 # for when /usr is not mounted:
 kernel_dontaudit_search_unlabeled(dmesg_t)
 
Index: refpolicy/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.if
+++ refpolicy/policy/modules/system/sysnetwork.if
@@ -442,6 +442,31 @@ interface(`sysnet_etc_filetrans_config',
 
 #######################################
 ## <summary>
+##	Create directories in /var/run with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`sysnet_var_run_dirtrans_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_pid_filetrans($1, net_conf_t, dir, $2)
+	allow $1 net_conf_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
 ##	Create, read, write, and delete network config files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/system/logging.te
===================================================================
--- refpolicy.orig/policy/modules/system/logging.te
+++ refpolicy/policy/modules/system/logging.te
@@ -121,6 +121,7 @@ ifdef(`init_systemd', `
 
 allow auditctl_t self:capability { fsetid dac_read_search dac_override };
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+allow auditctl_t self:process getcap;
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -172,6 +173,7 @@ allow auditd_t auditd_etc_t:file read_fi
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t auditd_log_t:dir setattr;
 allow auditd_t var_log_t:dir search_dir_perms;
 
 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
Index: refpolicy/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy.orig/policy/modules/roles/sysadm.te
+++ refpolicy/policy/modules/roles/sysadm.te
@@ -354,6 +354,7 @@ optional_policy(`
 
 optional_policy(`
 	dmesg_exec(sysadm_t)
+	dev_read_kmsg(sysadm_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/contrib/alsa.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/alsa.fc
+++ refpolicy/policy/modules/contrib/alsa.fc
@@ -28,3 +28,4 @@ ifdef(`distro_debian',`
 /var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
 
 /var/lock/asound\.state\.lock	--	gen_context(system_u:object_r:alsa_var_lock_t,s0)
+/var/run/alsa			-d	gen_context(system_u:object_r:alsa_var_lock_t,s0)
Index: refpolicy/policy/modules/contrib/alsa.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/alsa.te
+++ refpolicy/policy/modules/contrib/alsa.te
@@ -46,6 +46,9 @@ allow alsa_t self:unix_stream_socket { a
 
 allow alsa_t alsa_home_t:file read_file_perms;
 
+files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
+manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
+manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
 list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
Index: refpolicy/policy/modules/contrib/postfix.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/postfix.fc
+++ refpolicy/policy/modules/contrib/postfix.fc
@@ -1,23 +1,23 @@
-/etc/postfix.*	gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix(/.*)?			gen_context(system_u:object_r:postfix_etc_t,s0)
 /etc/postfix/postfix-script.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 
 /etc/rc\.d/init\.d/postfix	--	gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 
-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr	--	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual	--	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+/usr/lib/postfix/(sbin/)?.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/(sbin/)?cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/(sbin/)?master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?(n)?qmgr	--	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(sbin/)?showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/(sbin/)?bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/(sbin/)?virtual	--	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 
 /usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/libexec/postfix/cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
Index: refpolicy/policy/modules/system/libraries.fc
===================================================================
--- refpolicy.orig/policy/modules/system/libraries.fc
+++ refpolicy/policy/modules/system/libraries.fc
@@ -114,6 +114,7 @@ ifdef(`distro_debian',`
 /usr/(.*/)?dh-python/dh_pypy		--	gen_context(system_u:object_r:lib_t,s0)
 ')
 
+/usr/lib/postfix/lib.*so.*		--	gen_context(system_u:object_r:lib_t,s0)
 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
Index: refpolicy/policy/modules/contrib/networkmanager.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/networkmanager.fc
+++ refpolicy/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
 /etc/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_t,s0)
 /etc/NetworkManager/NetworkManager\.conf	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
 /etc/NetworkManager/system-connections(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)?	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)?	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /etc/dhcp/manager-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 /etc/dhcp/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
Index: refpolicy/policy/modules/contrib/inetd.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/inetd.te
+++ refpolicy/policy/modules/contrib/inetd.te
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
 kernel_tcp_recvfrom_unlabeled(inetd_t)
 
 corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)
 
 corenet_all_recvfrom_unlabeled(inetd_t)
 corenet_all_recvfrom_netlabel(inetd_t)
Index: refpolicy/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/devicekit.te
+++ refpolicy/policy/modules/contrib/devicekit.te
@@ -56,6 +56,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xserver_dbus_chat_xdm(devicekit_power_t)
+')
+
+optional_policy(`
 	udev_read_db(devicekit_t)
 ')
 
@@ -65,6 +69,8 @@ optional_policy(`
 #
 
 allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability2 wake_alarm;
+
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -198,6 +204,7 @@ optional_policy(`
 #
 
 allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability2 wake_alarm;
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
Index: refpolicy/policy/modules/services/xserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.te
+++ refpolicy/policy/modules/services/xserver.te
@@ -260,6 +260,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t
 
 allow xdm_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+allow xauth_t xdm_t:process sigchld;
 
 kernel_request_load_module(xauth_t)
 
@@ -622,6 +623,7 @@ allow xserver_t input_xevent_t:x_event s
 
 allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 dontaudit xserver_t self:capability chown;
+allow xserver_t self:capability2 wake_alarm;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy/policy/modules/system/mount.te
===================================================================
--- refpolicy.orig/policy/modules/system/mount.te
+++ refpolicy/policy/modules/system/mount.te
@@ -52,8 +52,8 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+manage_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+manage_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
 rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
 files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
 
@@ -103,7 +103,10 @@ files_dontaudit_write_all_mountpoints(mo
 files_dontaudit_setattr_all_mountpoints(mount_t)
 
 fs_getattr_xattr_fs(mount_t)
+fs_getattr_tmpfs(mount_t)
+fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
+fs_getattr_nfs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
Index: refpolicy/policy/modules/system/init.fc
===================================================================
--- refpolicy.orig/policy/modules/system/init.fc
+++ refpolicy/policy/modules/system/init.fc
@@ -61,7 +61,6 @@ ifdef(`distro_gentoo', `
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
-/usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/startx	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
@@ -85,6 +84,10 @@ ifdef(`distro_gentoo', `
 ifdef(`distro_debian',`
 /var/run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/etc/network/if-pre-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-down.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-post-down.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 ')
 
 ifdef(`distro_gentoo', `
Index: refpolicy/policy/modules/contrib/munin.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/munin.te
+++ refpolicy/policy/modules/contrib/munin.te
@@ -386,6 +386,7 @@ optional_policy(`
 #
 
 allow system_munin_plugin_t self:udp_socket create_socket_perms;
+allow system_munin_plugin_t self:capability net_admin;
 
 rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
@@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
+files_read_usr_files(system_munin_plugin_t)
 
 domain_read_all_domains_state(system_munin_plugin_t)
 
Index: refpolicy/policy/modules/contrib/rsync.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/rsync.te
+++ refpolicy/policy/modules/contrib/rsync.te
@@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
 	files_list_non_auth_dirs(rsync_t)
 	files_read_non_auth_files(rsync_t)
 	files_read_non_auth_symlinks(rsync_t)
+	getattr_fifo_files_pattern(rsync_t, file_type, file_type)
+	getattr_sock_files_pattern(rsync_t, file_type, file_type)
 	auth_tunable_read_shadow(rsync_t)
 ')
 
Index: refpolicy/policy/modules/contrib/bitlbee.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/bitlbee.te
+++ refpolicy/policy/modules/contrib/bitlbee.te
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
 
 kernel_read_kernel_sysctls(bitlbee_t)
 kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)
 
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
Index: refpolicy/policy/modules/system/unconfined.te
===================================================================
--- refpolicy.orig/policy/modules/system/unconfined.te
+++ refpolicy/policy/modules/system/unconfined.te
@@ -87,7 +87,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_unconfined_role(unconfined_r, unconfined_t)
+	cron_role(unconfined_r, unconfined)
 ')
 
 optional_policy(`
@@ -128,6 +128,7 @@ optional_policy(`
 
 optional_policy(`
 	mono_domtrans(unconfined_t)
+	mono_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -217,6 +218,11 @@ optional_policy(`
 	wine_domtrans(unconfined_t)
 ')
 
+optional_policy(`
+	xserver_role(unconfined_r, unconfined_t)
+	xserver_dbus_chat_xdm(unconfined_t)
+')
+
 ########################################
 #
 # Unconfined Execmem Local policy
Index: refpolicy/policy/modules/system/lvm.fc
===================================================================
--- refpolicy.orig/policy/modules/system/lvm.fc
+++ refpolicy/policy/modules/system/lvm.fc
@@ -98,6 +98,7 @@ ifdef(`distro_gentoo',`
 
 /usr/sbin/clvmd		--	gen_context(system_u:object_r:clvmd_exec_t,s0)
 /usr/sbin/lvm		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmetad	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 
 #
 # /var
@@ -107,3 +108,4 @@ ifdef(`distro_gentoo',`
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/lvm(/.*)?		gen_context(system_u:object_r:lvm_var_run_t,s0)
Index: refpolicy/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.te
+++ refpolicy/policy/modules/system/sysnetwork.te
@@ -238,6 +238,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	samba_manage_config(dhcpc_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dhcpc_t)
 	seutil_dontaudit_search_config(dhcpc_t)
 ')
Index: refpolicy/policy/modules/system/udev.fc
===================================================================
--- refpolicy.orig/policy/modules/system/udev.fc
+++ refpolicy/policy/modules/system/udev.fc
@@ -38,4 +38,5 @@ ifdef(`distro_redhat',`
 ifdef(`distro_debian',`
 /lib/systemd/systemd-udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/console-setup(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 ')
Index: refpolicy/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dbus.te
+++ refpolicy/policy/modules/contrib/dbus.te
@@ -96,6 +96,10 @@ corecmd_exec_shell(system_dbusd_t)
 dev_read_urand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
+# gdm3 causes system_dbusd_t to want this access
+dev_rw_dri(system_dbusd_t)
+dev_rw_input_dev(system_dbusd_t)
+
 domain_use_interactive_fds(system_dbusd_t)
 domain_read_all_domains_state(system_dbusd_t)
 
@@ -147,6 +151,9 @@ optional_policy(`
 	# for /run/systemd/users/*
 	systemd_read_logind_pids(system_dbusd_t)
 	systemd_use_logind_fds(system_dbusd_t)
+')
+
+optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 	systemd_login_write_pid_pipe(system_dbusd_t)
 ')
Index: refpolicy/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/policykit.te
+++ refpolicy/policy/modules/contrib/policykit.te
@@ -87,6 +87,9 @@ domtrans_pattern(policykit_t, policykit_
 
 kernel_read_kernel_sysctls(policykit_t)
 kernel_read_system_state(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
+dev_read_urand(policykit_t)
 
 domain_read_all_domains_state(policykit_t)
 
@@ -99,6 +102,7 @@ auth_use_nsswitch(policykit_t)
 
 userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
+userdom_dbus_send_all_users(policykit_t)
 
 # for /run/systemd/machines
 systemd_read_machines(policykit_t)
Index: refpolicy/policy/modules/services/xserver.fc
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.fc
+++ refpolicy/policy/modules/services/xserver.fc
@@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* --	gen_context
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors --	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
 # /dev
@@ -30,6 +31,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -62,6 +64,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/s?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/s?bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/s?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -106,6 +109,7 @@ ifndef(`distro_debian',`
 /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/sddm(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
@@ -115,6 +119,7 @@ ifndef(`distro_debian',`
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 
+/var/run/sddm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/loadkeys.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/loadkeys.te
+++ refpolicy/policy/modules/contrib/loadkeys.te
@@ -39,6 +39,7 @@ init_dontaudit_use_script_ptys(loadkeys_
 locallogin_use_fds(loadkeys_t)
 
 miscfiles_read_localization(loadkeys_t)
+init_read_script_tmp_files(loadkeys_t)
 
 userdom_use_user_ttys(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
Index: refpolicy/policy/modules/contrib/rtkit.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/rtkit.te
+++ refpolicy/policy/modules/contrib/rtkit.te
@@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
 
 miscfiles_read_localization(rtkit_daemon_t)
 
+selinux_getattr_fs(rtkit_daemon_t)
+seutil_search_default_contexts(rtkit_daemon_t)
+
 optional_policy(`
 	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
 
Index: refpolicy/policy/modules/system/getty.fc
===================================================================
--- refpolicy.orig/policy/modules/system/getty.fc
+++ refpolicy/policy/modules/system/getty.fc
@@ -7,6 +7,7 @@
 /var/log/vgetty\.log\..* --	gen_context(system_u:object_r:getty_log_t,s0)
 
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/run/agetty\.reload	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 
 /var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
 /var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
Index: refpolicy/policy/modules/kernel/files.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/files.fc
+++ refpolicy/policy/modules/kernel/files.fc
@@ -112,6 +112,7 @@ ifdef(`distro_debian',`
 # on Debian /lib/init/rw is a tmpfs used like /var/run but
 # before /var is mounted
 /lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/var/run/resolvconf(/.*)? -d	gen_context(system_u:object_r:etc_t,s0)
 ')
 
 #
Index: refpolicy/policy/modules/contrib/backup.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/backup.te
+++ refpolicy/policy/modules/contrib/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
 # Local policy
 #
 
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { chown dac_override fsetid };
 allow backup_t self:process signal;
 allow backup_t self:fifo_file rw_fifo_file_perms;
 allow backup_t self:tcp_socket create_socket_perms;
Index: refpolicy/policy/modules/contrib/milter.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/milter.if
+++ refpolicy/policy/modules/contrib/milter.if
@@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',
 	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 ')
+
+########################################
+## <summary>
+##	stat spamassissin milter data dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_getattr_data_dir',`
+	gen_require(`
+		type spamass_milter_data_t;
+	')
+
+	allow $1 spamass_milter_data_t:dir getattr;
+')
Index: refpolicy/policy/modules/contrib/samba.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/samba.te
+++ refpolicy/policy/modules/contrib/samba.te
@@ -6,6 +6,14 @@ policy_module(samba, 1.19.0)
 #
 
 ## <desc>
+##      <p>
+##      Determine whether smbd_t can
+##      read shadow files.
+##      </p>
+## </desc>
+gen_tunable(allow_smbd_read_shadow, false)
+
+## <desc>
 ##	<p>
 ##	Determine whether samba can modify
 ##	public files used for public file
@@ -104,8 +112,9 @@ type nmbd_t;
 type nmbd_exec_t;
 init_daemon_domain(nmbd_t, nmbd_exec_t)
 
-type nmbd_var_run_t;
-files_pid_file(nmbd_var_run_t)
+type samba_var_run_t;
+typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };
+files_pid_file(samba_var_run_t)
 
 type samba_etc_t;
 files_config_file(samba_etc_t)
@@ -151,9 +160,6 @@ files_type(smbd_keytab_t)
 type smbd_tmp_t;
 files_tmp_file(smbd_tmp_t)
 
-type smbd_var_run_t;
-files_pid_file(smbd_var_run_t)
-
 type smbmount_t;
 type smbmount_exec_t;
 application_domain(smbmount_t, smbmount_exec_t)
@@ -305,16 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t,
 manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
 files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
 
-manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
+manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+files_pid_filetrans(smbd_t, samba_var_run_t, { dir file })
 
 allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
 stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
 
-allow smbd_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t)
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
@@ -377,6 +382,11 @@ auth_domtrans_upd_passwd(smbd_t)
 auth_manage_cache(smbd_t)
 auth_write_login_records(smbd_t)
 
+auth_can_read_shadow_passwords(smbd_t)
+tunable_policy(`allow_smbd_read_shadow',`
+	auth_tunable_read_shadow(smbd_t)
+')
+
 init_rw_utmp(smbd_t)
 
 logging_search_logs(smbd_t)
@@ -519,11 +529,10 @@ allow nmbd_t self:tcp_socket { accept li
 allow nmbd_t self:unix_dgram_socket sendto;
 allow nmbd_t self:unix_stream_socket { accept connectto listen };
 
-manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
-manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
+manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file })
 
 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -542,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t,
 
 allow nmbd_t { swat_t smbcontrol_t }:process signal;
 
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+allow nmbd_t samba_var_run_t:dir rw_dir_perms;
 
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
@@ -567,6 +576,8 @@ corenet_sendrecv_smbd_client_packets(nmb
 corenet_tcp_connect_smbd_port(nmbd_t)
 corenet_tcp_sendrecv_smbd_port(nmbd_t)
 
+corecmd_search_bin(nmbd_t)
+dev_read_urand(nmbd_t)
 dev_read_sysfs(nmbd_t)
 dev_getattr_mtrr_dev(nmbd_t)
 
@@ -618,7 +629,7 @@ allow smbcontrol_t self:unix_stream_sock
 allow smbcontrol_t self:process { signal signull };
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t)
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
 
@@ -733,8 +744,8 @@ allow swat_t self:unix_stream_socket con
 
 allow swat_t { nmbd_t smbd_t }:process { signal signull };
 
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+allow swat_t samba_var_run_t:file read_file_perms;
+allow swat_t samba_var_run_t:file { lock delete_file_perms };
 
 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
@@ -766,8 +777,8 @@ read_files_pattern(swat_t, winbind_var_r
 allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
 allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
 
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t)
+stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t)
 
 samba_domtrans_smbd(swat_t)
 samba_domtrans_nmbd(swat_t)
@@ -852,8 +863,8 @@ allow winbind_t self:tcp_socket { accept
 
 allow winbind_t nmbd_t:process { signal signull };
 
-allow winbind_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+allow winbind_t samba_var_run_t:file read_file_perms;
+stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t)
 
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -885,15 +896,15 @@ manage_files_pattern(winbind_t, winbind_
 manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
 files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
 
-manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t)
 manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
-filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
+filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir)
 
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
 
 kernel_read_network_state(winbind_t)
 kernel_read_kernel_sysctls(winbind_t)
Index: refpolicy/policy/modules/contrib/samba.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/samba.fc
+++ refpolicy/policy/modules/contrib/samba.fc
@@ -31,21 +31,21 @@
 
 /var/nmbd(/.*)?	gen_context(system_u:object_r:samba_var_t,s0)
 
-/var/run/nmbd(/.*)?	gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/nmbd(/.*)?	gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/nmbd(/.*)?	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/nmbd(/.*)?	gen_context(system_u:object_r:samba_var_run_t,s0)
 
-/var/run/samba(/.*)?	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/connections\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/locking\.tdb --	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/messages\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/namelist\.debug	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/sessionid\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/share_info\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba(/.*)?	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/connections\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/locking\.tdb --	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/messages\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/namelist\.debug	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/sessionid\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/share_info\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:samba_var_run_t,s0)
+/var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)
 
 /var/run/winbindd(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)
 /var/run/samba/winbindd(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/rpc.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/rpc.te
+++ refpolicy/policy/modules/contrib/rpc.te
@@ -162,6 +162,9 @@ kernel_rw_fs_sysctls(rpcd_t)
 kernel_dontaudit_getattr_core_if(rpcd_t)
 kernel_signal(rpcd_t)
 
+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
+
 corecmd_exec_bin(rpcd_t)
 
 files_manage_mounttab(rpcd_t)
Index: refpolicy/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/logrotate.te
+++ refpolicy/policy/modules/contrib/logrotate.te
@@ -36,7 +36,7 @@ role system_r types logrotate_mail_t;
 # Local policy
 #
 
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner net_admin setuid setgid sys_resource sys_nice };
 allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
 allow logrotate_t self:fd use;
 allow logrotate_t self:key manage_key_perms;
@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)
 fs_search_auto_mountpoints(logrotate_t)
 fs_getattr_xattr_fs(logrotate_t)
 fs_list_inotifyfs(logrotate_t)
+fs_getattr_tmpfs(logrotate_t)
 
 mls_file_read_all_levels(logrotate_t)
 mls_file_write_all_levels(logrotate_t)
@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)
 auth_use_nsswitch(logrotate_t)
 
 init_all_labeled_script_domtrans(logrotate_t)
+init_script_service_restart(logrotate_t)
 init_get_generic_units_status(logrotate_t)
 init_get_all_units_status(logrotate_t)
+init_get_system_status(logrotate_t)
 init_dbus_chat(logrotate_t)
 init_stream_connect(logrotate_t)
 
@@ -212,6 +215,7 @@ optional_policy(`
 optional_policy(`
 	mysql_read_config(logrotate_t)
 	mysql_stream_connect(logrotate_t)
+	mysql_signal(logrotate_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/contrib/acct.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/acct.fc
+++ refpolicy/policy/modules/contrib/acct.fc
@@ -1,5 +1,3 @@
-/etc/cron\.(daily|monthly)/acct	--	gen_context(system_u:object_r:acct_exec_t,s0)
-
 /etc/rc\.d/init\.d/psacct	--	gen_context(system_u:object_r:acct_initrc_exec_t,s0)
 
 /sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
Index: refpolicy/policy/modules/contrib/mysql.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/mysql.if
+++ refpolicy/policy/modules/contrib/mysql.if
@@ -78,7 +78,7 @@ interface(`mysql_signal',`
 		type mysqld_t;
 	')
 
-	allow $1 mysqld_t:process signal;
+	allow $1 mysqld_t:process { signal signull };
 ')
 
 ########################################
Index: refpolicy/policy/modules/roles/staff.te
===================================================================
--- refpolicy.orig/policy/modules/roles/staff.te
+++ refpolicy/policy/modules/roles/staff.te
@@ -77,7 +77,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(staff_r, staff_t)
+		cron_role(staff_r, staff)
 	')
 
 	optional_policy(`
Index: refpolicy/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy.orig/policy/modules/roles/unprivuser.te
+++ refpolicy/policy/modules/roles/unprivuser.te
@@ -46,7 +46,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(user_r, user_t)
+		cron_role(user_r, user)
 	')
 
 	optional_policy(`
Index: refpolicy/policy/modules/contrib/iodine.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/iodine.fc
+++ refpolicy/policy/modules/contrib/iodine.fc
@@ -1,3 +1,4 @@
 /etc/rc\.d/init\.d/((iodined)|(iodine-server))	--	gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
 
 /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
+/var/run/iodine(/.*)?		gen_context(system_u:object_r:iodined_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/squid.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/squid.if
+++ refpolicy/policy/modules/contrib/squid.if
@@ -236,3 +236,22 @@ interface(`squid_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, squid_tmp_t)
 ')
+
+########################################
+## <summary>
+##	dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not be audited
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_tmpfs',`
+	gen_require(`
+		type squid_tmpfs_t;
+	')
+
+	dontaudit $1 squid_tmpfs_t:file getattr;
+')
Index: refpolicy/policy/modules/system/init.if
===================================================================
--- refpolicy.orig/policy/modules/system/init.if
+++ refpolicy/policy/modules/system/init.if
@@ -3043,7 +3043,7 @@ interface(`init_script_service_restart',
 		attribute init_script_file_type;
 	')
 
-	allow $1 init_script_file_type:service { start status stop };
+	allow $1 init_script_file_type:service { start status stop reload };
 ')
 
 ########################################
Index: refpolicy/policy/modules/kernel/files.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/files.if
+++ refpolicy/policy/modules/kernel/files.if
@@ -433,6 +433,24 @@ interface(`files_tmpfs_file',`
 
 ########################################
 ## <summary>
+##	Do not audit getattr of /dev/shm files
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_file',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	dontaudit $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of all directories.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/system/systemd.te
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.te
+++ refpolicy/policy/modules/system/systemd.te
@@ -331,6 +331,7 @@ dev_rw_dri(systemd_logind_t)
 dev_manage_wireless(systemd_logind_t)
 
 files_read_etc_files(systemd_logind_t)
+files_dontaudit_getattr_tmpfs_file(systemd_logind_t)
 
 fs_read_efivarfs_files(systemd_logind_t)
 
Index: refpolicy/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy/policy/modules/contrib/networkmanager.te
@@ -227,6 +227,10 @@ optional_policy(`
 	optional_policy(`
 		policykit_dbus_chat(NetworkManager_t)
 	')
+
+	optional_policy(`
+		unconfined_dbus_send(NetworkManager_t)
+	')
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/contrib/cups.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/cups.if
+++ refpolicy/policy/modules/contrib/cups.if
@@ -69,7 +69,9 @@ interface(`cups_stream_connect',`
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+        allow $1 cupsd_var_run_t:dir search_dir_perms;
+	allow $1 cupsd_var_run_t:sock_file  { read write_sock_file_perms };
+	allow $1 cupsd_t:unix_stream_socket connectto;
 ')
 
 ########################################
Index: refpolicy/policy/modules/contrib/logwatch.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/logwatch.te
+++ refpolicy/policy/modules/contrib/logwatch.te
@@ -160,6 +160,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	raid_domtrans_mdadm(logwatch_t)
+')
+
+optional_policy(`
 	rpc_search_nfs_state_data(logwatch_t)
 ')
 
@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)
 
 optional_policy(`
 	cron_use_system_job_fds(logwatch_mail_t)
+	cron_rw_system_job_pipes(logwatch_mail_t)
 ')
Index: refpolicy/policy/modules/contrib/mta.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.fc
+++ refpolicy/policy/modules/contrib/mta.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]*	--	gen_context(s
 HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/DovecotMail(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 
 /bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
